Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
msws.msi

Overview

General Information

Sample name:msws.msi
Analysis ID:1513255
MD5:c13c4c025c5c779d5dc8848ef160d5da
SHA1:d7671d1f301d74aece0db320701395a5cd8cf29a
SHA256:ba2e21641a1238a5b30e535bd0940fcd316a6e5242bfdd48a97aaa203d11642b
Tags:libraofficeonline-commsi
Infos:

Detection

ORPCBackdoor
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected ORPCBackdoor
AI detected suspicious sample
Uses dynamic DNS services
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 2936 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\msws.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6976 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6484 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B12D13CACE43515F68A41F2B0DDB3F8C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • expand.exe (PID: 1372 cmdline: "C:\Windows\System32\expand.exe" -R files.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
        • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSWordServices.exe (PID: 2788 cmdline: "C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe" MD5: FC860959580C124E7E4781BB08437681)
  • MSWordServices.exe (PID: 1468 cmdline: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe MD5: FC860959580C124E7E4781BB08437681)
    • WerFault.exe (PID: 6120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ORPCBackdoorNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.orpcbackdoor

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3381013468.0000000000AFD000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_ORPCBackdoorYara detected ORPCBackdoorJoe Security
    Process Memory Space: MSWordServices.exe PID: 2788JoeSecurity_ORPCBackdoorYara detected ORPCBackdoorJoe Security
      Process Memory Space: MSWordServices.exe PID: 1468JoeSecurity_ORPCBackdoorYara detected ORPCBackdoorJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: msws.msiAvira: detected
        Antivirus detection for dropped file
        Source: C:\Windows\Installer\6ef47a.msiAvira: detection malicious, Label: TR/Agent.ynmzr
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmpAvira: detection malicious, Label: TR/Agent.athug
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmpReversingLabs: Detection: 75%
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\OLMAPI32.dll (copy)ReversingLabs: Detection: 75%
        Multi AV Scanner detection for submitted file
        Source: msws.msiReversingLabs: Detection: 60%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
        Source: Binary string: t:\outlook\x86\ship\0\cnfnot32.pdb\ship\0\cnfnot32.exe\bbtopt\cnfnot32O.pdbO source: expand.exe, 00000004.00000003.2151910277.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, 64537d8fc3380a4bb24ba512ffb97757.tmp.4.dr
        Source: Binary string: t:\outlook\x86\ship\0\cnfnot32.pdb source: MSWordServices.exe, MSWordServices.exe, 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000000.2183974221.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, 64537d8fc3380a4bb24ba512ffb97757.tmp.4.dr
        Source: Binary string: \ship\0\cnfnot32.exe\bbtopt\cnfnot32O.pdb source: MSWordServices.exe, MSWordServices.exe, 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000000.2183974221.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, 64537d8fc3380a4bb24ba512ffb97757.tmp.4.dr
        Source: Binary string: t:\outlook\x86\ship\0\cnfnot32.pdb\ship\0\cnfnot32.exe\bbtopt\cnfnot32O.pdb source: MSWordServices.exe, 00000006.00000000.2159308758.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000000.2183974221.000000002DE01000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: msws.msi, 6ef47a.msi.1.dr, MSIF9BA.tmp.1.dr
        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8FA2F4 FindFirstFileExW,6_2_6C8FA2F4
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8FA2F4 FindFirstFileExW,7_2_6C8FA2F4

        Networking

        barindex
        Uses dynamic DNS services
        Source: unknownDNS query: name: outlook-web.ddns.net
        Source: Joe Sandbox ViewASN Name: EDIS-AS-EUAT EDIS-AS-EUAT
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: outlook-web.ddns.net
        Source: unknownNetwork traffic detected: HTTP traffic on port 57084 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59265 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62435 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61580 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52633 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61109 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50452 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50440 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59253 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51777 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60266 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54802 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52645 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50464 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60242 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57096 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51319 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50439 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61122 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61592 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60278 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62411 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52608 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54814 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51789 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53958 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62447 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51320 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59290 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62460 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61134 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60229 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53934 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51753 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60230 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59289 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62459 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57047 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53946 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61543 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59277 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60291 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60217 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59216 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51307 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57035 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62002 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60687 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52621 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56180 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54863 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61146 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53848
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53847
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53846
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53845
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53849
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53840
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53844
        Source: unknownNetwork traffic detected: HTTP traffic on port 50873 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53537 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53843
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53842
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53841
        Source: unknownNetwork traffic detected: HTTP traffic on port 62496 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57023 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53859
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53858
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53857
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53856
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53851
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53850
        Source: unknownNetwork traffic detected: HTTP traffic on port 60675 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61158 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53855
        Source: unknownNetwork traffic detected: HTTP traffic on port 62868 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53854
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53853
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53852
        Source: unknownNetwork traffic detected: HTTP traffic on port 53910 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52200 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50885 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51207
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51208
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53869
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51205
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53868
        Source: unknownNetwork traffic detected: HTTP traffic on port 57011 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51206
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53867
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51209
        Source: unknownNetwork traffic detected: HTTP traffic on port 58348 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53862
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51200
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53861
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53860
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51203
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53866
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51204
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53865
        Source: unknownNetwork traffic detected: HTTP traffic on port 54851 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56192 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53864
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51201
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53863
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51202
        Source: unknownNetwork traffic detected: HTTP traffic on port 59228 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62472 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50861 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53525 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62484 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51218
        Source: unknownNetwork traffic detected: HTTP traffic on port 53922 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51219
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51216
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53879
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51217
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53878
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51210
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53873
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51211
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53872
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53871
        Source: unknownNetwork traffic detected: HTTP traffic on port 58336 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53870
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51214
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53877
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51215
        Source: unknownNetwork traffic detected: HTTP traffic on port 50897 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53876
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51212
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53875
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53874
        Source: unknownNetwork traffic detected: HTTP traffic on port 52212 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51213
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53880
        Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60663 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61555 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53804
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53803
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53802
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53801
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53808
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53807
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53806
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53805
        Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60651 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55743 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53800
        Source: unknownNetwork traffic detected: HTTP traffic on port 54838 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55299 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61183 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58324 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53809
        Source: unknownNetwork traffic detected: HTTP traffic on port 62893 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53815
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53814
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53813
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53812
        Source: unknownNetwork traffic detected: HTTP traffic on port 61976 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53819
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53818
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53817
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53816
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53811
        Source: unknownNetwork traffic detected: HTTP traffic on port 61567 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62881 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53810
        Source: unknownNetwork traffic detected: HTTP traffic on port 53501 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50476 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53826
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53825
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53824
        Source: unknownNetwork traffic detected: HTTP traffic on port 59649 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53823
        Source: unknownNetwork traffic detected: HTTP traffic on port 51790 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53829
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53828
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53827
        Source: unknownNetwork traffic detected: HTTP traffic on port 55287 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53822
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53821
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53820
        Source: unknownNetwork traffic detected: HTTP traffic on port 58312 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61171 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61579 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54826 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53837
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53836
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53835
        Source: unknownNetwork traffic detected: HTTP traffic on port 54430 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53834
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53839
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53838
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53833
        Source: unknownNetwork traffic detected: HTTP traffic on port 53513 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53832
        Source: unknownNetwork traffic detected: HTTP traffic on port 50488 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53831
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53830
        Source: unknownNetwork traffic detected: HTTP traffic on port 59241 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53909 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61964 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55755 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60254 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51144
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51145
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51142
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51143
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51148
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51149
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51146
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51147
        Source: unknownNetwork traffic detected: HTTP traffic on port 56623 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59637 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51151
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51152
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51150
        Source: unknownNetwork traffic detected: HTTP traffic on port 53598 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60626 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53116 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51155
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51156
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51153
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51154
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51159
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51157
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51158
        Source: unknownNetwork traffic detected: HTTP traffic on port 54442 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51162
        Source: unknownNetwork traffic detected: HTTP traffic on port 57456 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51163
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51160
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51161
        Source: unknownNetwork traffic detected: HTTP traffic on port 50812 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56635 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51166
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51167
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51164
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51165
        Source: unknownNetwork traffic detected: HTTP traffic on port 60638 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51168
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51169
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51170
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51173
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51171
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51172
        Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59625 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50824 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57444 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51177
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51178
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51175
        Source: unknownNetwork traffic detected: HTTP traffic on port 53104 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51176
        Source: unknownNetwork traffic detected: HTTP traffic on port 61195 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51179
        Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51180
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51181
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51184
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51185
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51182
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51183
        Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53562 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54454 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51108
        Source: unknownNetwork traffic detected: HTTP traffic on port 56576 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51109
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51106
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53769
        Source: unknownNetwork traffic detected: HTTP traffic on port 59601 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51107
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53768
        Source: unknownNetwork traffic detected: HTTP traffic on port 54395 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53763
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51100
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51101
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53762
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53761
        Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53760
        Source: unknownNetwork traffic detected: HTTP traffic on port 57420 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51104
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53767
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51105
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53766
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51102
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53765
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51103
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53764
        Source: unknownNetwork traffic detected: HTTP traffic on port 61988 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53770
        Source: unknownNetwork traffic detected: HTTP traffic on port 50848 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57503 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51119
        Source: unknownNetwork traffic detected: HTTP traffic on port 56659 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51117
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53779
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51118
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51111
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53774
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51112
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53773
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51110
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53771
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51115
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53778
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51116
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53777
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51113
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53776
        Source: unknownNetwork traffic detected: HTTP traffic on port 54466 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59613 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51114
        Source: unknownNetwork traffic detected: HTTP traffic on port 53550 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53775
        Source: unknownNetwork traffic detected: HTTP traffic on port 56564 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56588 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53781
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53780
        Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60602 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51128
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51129
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53785
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51122
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51123
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53784
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51120
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53783
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51121
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53782
        Source: unknownNetwork traffic detected: HTTP traffic on port 57493 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51126
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53789
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51127
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53788
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51124
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53787
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51125
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53786
        Source: unknownNetwork traffic detected: HTTP traffic on port 50836 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54008 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53792
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51130
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53791
        Source: unknownNetwork traffic detected: HTTP traffic on port 57432 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53790
        Source: unknownNetwork traffic detected: HTTP traffic on port 54478 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51139
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51133
        Source: unknownNetwork traffic detected: HTTP traffic on port 52694 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53796
        Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51134
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53795
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51131
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53794
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51132
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53793
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51137
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53799
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51138
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53798
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51135
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51136
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53797
        Source: unknownNetwork traffic detected: HTTP traffic on port 60614 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56647 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53549 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51140
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51141
        Source: unknownNetwork traffic detected: HTTP traffic on port 52682 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56540 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61531 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54491 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58361 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57527 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58373 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57515 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61518 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56527 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56552 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57481 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53491 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52670 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51188
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51189
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51186
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51187
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51191
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51190
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51195
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51196
        Source: unknownNetwork traffic detected: HTTP traffic on port 58385 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51194
        Source: unknownNetwork traffic detected: HTTP traffic on port 51741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51199
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51197
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51198
        Source: unknownNetwork traffic detected: HTTP traffic on port 53574 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52669 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57540 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50800 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56539 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62423 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58397 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56611 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53586 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61506 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57539 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52657 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 57468 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61602 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56251 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56973 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59769 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53466 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55647 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53454 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50956 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61614 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61087 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53903
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53902
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53901
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53900
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53907
        Source: unknownNetwork traffic detected: HTTP traffic on port 50932 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52116 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52141 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53906
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53905
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53904
        Source: unknownNetwork traffic detected: HTTP traffic on port 50968 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56263 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53909
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53908
        Source: unknownNetwork traffic detected: HTTP traffic on port 59757 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53914
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53913
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53912
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53911
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53918
        Source: unknownNetwork traffic detected: HTTP traffic on port 61626 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53917
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53916
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53915
        Source: unknownNetwork traffic detected: HTTP traffic on port 61099 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53910
        Source: unknownNetwork traffic detected: HTTP traffic on port 55635 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56238 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53919
        Source: unknownNetwork traffic detected: HTTP traffic on port 56985 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52104 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50920 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50919 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52153 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55660 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52165 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61063 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56515 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62915 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56503 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50907 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53478 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 55659 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50511 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50381 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56961 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50981 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61075 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51306
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53969
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53968
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51307
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE0BB17 GetParent,GetAsyncKeyState,SendMessageA,6_2_2DE0BB17
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE12F1C GetKeyState,GetKeyState,GetKeyState,GetKeyState,6_2_2DE12F1C
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE12F1C GetKeyState,GetKeyState,GetKeyState,GetKeyState,7_2_2DE12F1C
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6ef47a.msiJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E22E6085-4A70-49E4-B1C5-4305B74C3132}Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF9BA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE11D256_2_2DE11D25
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE0DC786_2_2DE0DC78
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8D80D76_2_6C8D80D7
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8F5CB26_2_6C8F5CB2
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8EBFDC6_2_6C8EBFDC
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8F88696_2_6C8F8869
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E2AF06_2_6C8E2AF0
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8EE7A06_2_6C8EE7A0
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8F203C6_2_6C8F203C
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8FE3846_2_6C8FE384
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8EC36A6_2_6C8EC36A
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE11D257_2_2DE11D25
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE0DC787_2_2DE0DC78
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8F5CB27_2_6C8F5CB2
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8EBFDC7_2_6C8EBFDC
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8F88697_2_6C8F8869
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8E2AF07_2_6C8E2AF0
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8EE7A07_2_6C8EE7A0
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8D80D77_2_6C8D80D7
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8F203C7_2_6C8F203C
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8FE3847_2_6C8FE384
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8EC36A7_2_6C8EC36A
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 2DE13812 appears 42 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 6C8EDDA4 appears 52 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 6C8F2C29 appears 34 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 6C8D4A5D appears 70 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 6C8E2890 appears 114 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 2DE179AF appears 154 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 2DE1793E appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 2DE179E2 appears 42 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: String function: 2DE15923 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1008
        Source: classification engineClassification label: mal88.troj.evad.winMSI@11/19@3/1
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8D7E9F CreateToolhelp32Snapshot,Process32First,CloseHandle,OpenProcess,Process32Next,CloseHandle,6_2_6C8D7E9F
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8DCB90 CoInitializeEx,CoInitializeSecurity,CoUninitialize,GetModuleFileNameW,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,6_2_6C8DCB90
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE15C05 FindResourceA,6_2_2DE15C05
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1468
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF5E036ED87243F5CB.TMPJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\msiwrapper.iniJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: msws.msiReversingLabs: Detection: 60%
        Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\msws.msi"
        Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B12D13CACE43515F68A41F2B0DDB3F8C
        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files
        Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe "C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1008
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B12D13CACE43515F68A41F2B0DDB3F8CJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* filesJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe "C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe" Jump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: dpx.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: wdscore.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: olmapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: olmapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\msiwrapper.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
        Source: Binary string: t:\outlook\x86\ship\0\cnfnot32.pdb\ship\0\cnfnot32.exe\bbtopt\cnfnot32O.pdbO source: expand.exe, 00000004.00000003.2151910277.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, 64537d8fc3380a4bb24ba512ffb97757.tmp.4.dr
        Source: Binary string: t:\outlook\x86\ship\0\cnfnot32.pdb source: MSWordServices.exe, MSWordServices.exe, 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000000.2183974221.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, 64537d8fc3380a4bb24ba512ffb97757.tmp.4.dr
        Source: Binary string: \ship\0\cnfnot32.exe\bbtopt\cnfnot32O.pdb source: MSWordServices.exe, MSWordServices.exe, 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000000.2183974221.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, 64537d8fc3380a4bb24ba512ffb97757.tmp.4.dr
        Source: Binary string: t:\outlook\x86\ship\0\cnfnot32.pdb\ship\0\cnfnot32.exe\bbtopt\cnfnot32O.pdb source: MSWordServices.exe, 00000006.00000000.2159308758.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, MSWordServices.exe, 00000007.00000000.2183974221.000000002DE01000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: msws.msi, 6ef47a.msi.1.dr, MSIF9BA.tmp.1.dr
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE183CC GetSystemDirectoryW,LoadLibraryExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,6_2_2DE183CC
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE17983 push ecx; ret 6_2_2DE17996
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE17A87 push ecx; ret 6_2_2DE17A9A
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E251B push ecx; ret 6_2_6C8E252E
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE17983 push ecx; ret 7_2_2DE17996
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE17A87 push ecx; ret 7_2_2DE17A9A
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8E251B push ecx; ret 7_2_6C8E252E
        Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF9BA.tmpJump to dropped file
        Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\64537d8fc3380a4bb24ba512ffb97757.tmpJump to dropped file
        Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\OLMAPI32.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF9BA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8DEA93 GetSystemDirectoryW,GetSystemInfo,GetComputerNameW,RegOpenKeyExW,GetVersionExW,GetModuleHandleA,LoadStringW,wsprintfA,wsprintfA,wsprintfA,RegCloseKey,GetPrivateProfileStringW,GetPrivateProfileStringW,GetModuleHandleA,LoadStringW,GetLocaleInfoW,SHLoadIndirectString,SHLoadIndirectString,GetTimeZoneInformation,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,GlobalMemoryStatus,NetGetJoinInformation,NetApiBufferFree,6_2_6C8DEA93
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8DEA93 GetSystemDirectoryW,GetSystemInfo,GetComputerNameW,RegOpenKeyExW,GetVersionExW,GetModuleHandleA,LoadStringW,wsprintfA,wsprintfA,wsprintfA,RegCloseKey,GetPrivateProfileStringW,GetPrivateProfileStringW,GetModuleHandleA,LoadStringW,GetLocaleInfoW,SHLoadIndirectString,SHLoadIndirectString,GetTimeZoneInformation,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,GlobalMemoryStatus,NetGetJoinInformation,NetApiBufferFree,7_2_6C8DEA93
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE140C6 IsWindowVisible,IsIconic,ShowWindow,6_2_2DE140C6
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE07BC9 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z,__EH_prolog3_catch,IsIconic,SetForegroundWindow,LoadMenuW,MultiByteToWideChar,SetWindowLongA,GetFocus,SetFocus,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SetForegroundWindow,PeekMessageA,PeekMessageA,6_2_2DE07BC9
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE140C6 IsWindowVisible,IsIconic,ShowWindow,7_2_2DE140C6
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE07BC9 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z,__EH_prolog3_catch,IsIconic,SetForegroundWindow,LoadMenuW,MultiByteToWideChar,SetWindowLongA,GetFocus,SetFocus,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SetForegroundWindow,PeekMessageA,PeekMessageA,7_2_2DE07BC9
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8DE49B ?GetFileVersionInfoByHandleEx@@YGHXZ,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_6C8DE49B
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDateJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS name: BIOSVENDORJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-42367
        Source: C:\Windows\SysWOW64\expand.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF9BA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeAPI coverage: 9.1 %
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeAPI coverage: 7.4 %
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe TID: 2052Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe TID: 2052Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe TID: 3884Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\SysWOW64\expand.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8FA2F4 FindFirstFileExW,6_2_6C8FA2F4
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8FA2F4 FindFirstFileExW,7_2_6C8FA2F4
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8DEA93 GetSystemDirectoryW,GetSystemInfo,GetComputerNameW,RegOpenKeyExW,GetVersionExW,GetModuleHandleA,LoadStringW,wsprintfA,wsprintfA,wsprintfA,RegCloseKey,GetPrivateProfileStringW,GetPrivateProfileStringW,GetModuleHandleA,LoadStringW,GetLocaleInfoW,SHLoadIndirectString,SHLoadIndirectString,GetTimeZoneInformation,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,GlobalMemoryStatus,NetGetJoinInformation,NetApiBufferFree,6_2_6C8DEA93
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeThread delayed: delay time: 180000Jump to behavior
        Source: MSWordServices.exe, 00000006.00000002.3381127862.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
        Source: MSWordServices.exe, 00000006.00000002.3381127862.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE17592 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,6_2_2DE17592
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE03E45 OutputDebugStringA,GetLastError,6_2_2DE03E45
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE183CC GetSystemDirectoryW,LoadLibraryExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,6_2_2DE183CC
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E6E04 mov ecx, dword ptr fs:[00000030h]6_2_6C8E6E04
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8F2767 mov eax, dword ptr fs:[00000030h]6_2_6C8F2767
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8E6E04 mov ecx, dword ptr fs:[00000030h]7_2_6C8E6E04
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8F2767 mov eax, dword ptr fs:[00000030h]7_2_6C8F2767
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE174DE GetModuleHandleW,GetProcAddress,GetProcessHeap,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,VirtualProtect,VirtualProtect,VirtualProtect,6_2_2DE174DE
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE17592 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,6_2_2DE17592
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE17EC9 SetUnhandledExceptionFilter,6_2_2DE17EC9
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E1C41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C8E1C41
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E270B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C8E270B
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E6733 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C8E6733
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE17592 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_2DE17592
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_2DE17EC9 SetUnhandledExceptionFilter,7_2_2DE17EC9
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8E1C41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C8E1C41
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8E270B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C8E270B
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8E6733 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C8E6733
        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* filesJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe "C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8E28D5 cpuid 6_2_6C8E28D5
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetSystemDirectoryW,GetSystemInfo,GetComputerNameW,RegOpenKeyExW,GetVersionExW,GetModuleHandleA,LoadStringW,wsprintfA,wsprintfA,wsprintfA,RegCloseKey,GetPrivateProfileStringW,GetPrivateProfileStringW,GetModuleHandleA,LoadStringW,GetLocaleInfoW,SHLoadIndirectString,SHLoadIndirectString,GetTimeZoneInformation,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,GlobalMemoryStatus,NetGetJoinInformation,NetApiBufferFree,6_2_6C8DEA93
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,6_2_6C8F2EBB
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_6C8FCF41
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_6C8FD8A5
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,6_2_6C8F2995
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,6_2_6C8FD5A7
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_6C8FD6D0
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,6_2_6C8FD7D6
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,6_2_6C8FD1E3
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,6_2_6C8FD13C
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,6_2_6C8FD2C9
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,6_2_6C8FD22E
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_6C8FD354
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetSystemDirectoryW,GetSystemInfo,GetComputerNameW,RegOpenKeyExW,GetVersionExW,GetModuleHandleA,LoadStringW,wsprintfA,wsprintfA,wsprintfA,RegCloseKey,GetPrivateProfileStringW,GetPrivateProfileStringW,GetModuleHandleA,LoadStringW,GetLocaleInfoW,SHLoadIndirectString,SHLoadIndirectString,GetTimeZoneInformation,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,GlobalMemoryStatus,NetGetJoinInformation,NetApiBufferFree,7_2_6C8DEA93
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,7_2_6C8F2EBB
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_6C8FCF41
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_6C8FD8A5
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,7_2_6C8F2995
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,7_2_6C8FD5A7
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_6C8FD6D0
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,7_2_6C8FD7D6
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,7_2_6C8FD1E3
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,7_2_6C8FD13C
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,7_2_6C8FD2C9
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: EnumSystemLocalesW,7_2_6C8FD22E
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_6C8FD354
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE174DE GetModuleHandleW,GetProcAddress,GetProcessHeap,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,VirtualProtect,VirtualProtect,VirtualProtect,6_2_2DE174DE
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8D4F22 Sleep,GetModuleFileNameA,CreateFileA,CloseHandle,Sleep,CreateFileA,CloseHandle,CloseHandle,GetUserNameA,Sleep,CreateFileA,ReadFile,CloseHandle,Sleep,CreateFileA,RpcStringBindingComposeA,RpcBindingFromStringBindingA,_strcat,CreateFileA,WriteFile,CloseHandle,_strcat,_strcat,_strcat,_strncpy,_strcat,_strcat,_strcat,_strcat,_strcat,PathFileExistsA,DeleteFileA,CreateFileA,WriteFile,CloseHandle,PathFileExistsA,_strcat,WinExec,_strcat,_strcat,WinExec,Sleep,_strcat,_strcat,_strncpy,Sleep,Sleep,RpcStringFreeA,6_2_6C8D4F22
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8DEA93 GetSystemDirectoryW,GetSystemInfo,GetComputerNameW,RegOpenKeyExW,GetVersionExW,GetModuleHandleA,LoadStringW,wsprintfA,wsprintfA,wsprintfA,RegCloseKey,GetPrivateProfileStringW,GetPrivateProfileStringW,GetModuleHandleA,LoadStringW,GetLocaleInfoW,SHLoadIndirectString,SHLoadIndirectString,GetTimeZoneInformation,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,GlobalMemoryStatus,NetGetJoinInformation,NetApiBufferFree,6_2_6C8DEA93
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_2DE15E3D GetVersionExA,6_2_2DE15E3D
        Source: C:\Windows\SysWOW64\expand.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected ORPCBackdoor
        Source: Yara matchFile source: 00000006.00000002.3381013468.0000000000AFD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSWordServices.exe PID: 2788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: MSWordServices.exe PID: 1468, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected ORPCBackdoor
        Source: Yara matchFile source: 00000006.00000002.3381013468.0000000000AFD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSWordServices.exe PID: 2788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: MSWordServices.exe PID: 1468, type: MEMORYSTR
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 6_2_6C8D4F22 Sleep,GetModuleFileNameA,CreateFileA,CloseHandle,Sleep,CreateFileA,CloseHandle,CloseHandle,GetUserNameA,Sleep,CreateFileA,ReadFile,CloseHandle,Sleep,CreateFileA,RpcStringBindingComposeA,RpcBindingFromStringBindingA,_strcat,CreateFileA,WriteFile,CloseHandle,_strcat,_strcat,_strcat,_strncpy,_strcat,_strcat,_strcat,_strcat,_strcat,PathFileExistsA,DeleteFileA,CreateFileA,WriteFile,CloseHandle,PathFileExistsA,_strcat,WinExec,_strcat,_strcat,WinExec,Sleep,_strcat,_strcat,_strncpy,Sleep,Sleep,RpcStringFreeA,6_2_6C8D4F22
        Source: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exeCode function: 7_2_6C8D4F22 Sleep,GetModuleFileNameA,CreateFileA,CloseHandle,Sleep,CreateFileA,CloseHandle,CloseHandle,GetUserNameA,Sleep,CreateFileA,ReadFile,CloseHandle,Sleep,CreateFileA,RpcStringBindingComposeA,RpcBindingFromStringBindingA,_strcat,CreateFileA,WriteFile,CloseHandle,_strcat,_strcat,_strcat,_strncpy,_strcat,_strcat,_strcat,_strcat,_strcat,PathFileExistsA,DeleteFileA,CreateFileA,WriteFile,CloseHandle,PathFileExistsA,_strcat,WinExec,_strcat,_strcat,WinExec,Sleep,_strcat,_strcat,_strncpy,Sleep,Sleep,RpcStringFreeA,7_2_6C8D4F22

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Replication Through Removable Media        		1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		11
        Process Injection        		2
        Masquerading        		21
        Input Capture        		2
        System Time Discovery        		Remote Services21
        Input Capture        		12
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		1
        DLL Side-Loading        		1
        Scheduled Task/Job        		41
        Virtualization/Sandbox Evasion        		LSASS Memory151
        Security Software Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		11
        Process Injection        		Security Account Manager41
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive12
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS2
        Process Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials11
        Peripheral Device Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
        Account Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
        File and Directory Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing66
        System Information Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1513255 Sample: msws.msi Startdate: 18/09/2024 Architecture: WINDOWS Score: 88 40 outlook-web.ddns.net 2->40 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 4 other signatures 2->53 9 msiexec.exe 3 8 2->9         started        12 MSWordServices.exe 1 2->12         started        14 msiexec.exe 3 2->14         started        signatures3 process4 file5 36 C:\Windows\Installer\MSIF9BA.tmp, PE32 9->36 dropped 38 C:\Windows\Installer\6ef47a.msi, Composite 9->38 dropped 16 msiexec.exe 5 9->16         started        18 WerFault.exe 3 21 12->18         started        process6 process7 20 expand.exe 5 16->20         started        23 MSWordServices.exe 1 3 16->23         started        dnsIp8 28 C:\Users\user\AppData\...\OLMAPI32.dll (copy), PE32 20->28 dropped 30 C:\...\840ab06c8b2f5b449385041b6c507ff7.tmp, PE32 20->30 dropped 32 C:\Users\user\...\MSWordServices.exe (copy), PE32 20->32 dropped 34 C:\...\64537d8fc3380a4bb24ba512ffb97757.tmp, PE32 20->34 dropped 26 conhost.exe 20->26         started        42 outlook-web.ddns.net 23->42 45 outlook-web.ddns.net 151.236.9.174, 443, 49711, 49712 EDIS-AS-EUAT European Union 23->45 file9 55 Uses dynamic DNS services 42->55 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        msws.msi61%ReversingLabsWin32.Backdoor.Orpcbackdoor
        msws.msi100%AviraTR/Agent.ynmzr

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Windows\Installer\6ef47a.msi100%AviraTR/Agent.ynmzr
        C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmp100%AviraTR/Agent.athug
        C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\64537d8fc3380a4bb24ba512ffb97757.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmp75%ReversingLabsWin32.Trojan.Generic
        C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\OLMAPI32.dll (copy)75%ReversingLabsWin32.Trojan.Generic
        C:\Windows\Installer\MSIF9BA.tmp0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        outlook-web.ddns.net
        		151.236.9.174
        		truetrue
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          151.236.9.174
          		outlook-web.ddns.netEuropean Union
          		57169EDIS-AS-EUATtrue

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1513255
          Start date and time:2024-09-18 17:22:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 5s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Potential for more IOCs and behavior
          Number of analysed new started processes analysed:13
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:msws.msi
          Detection:MAL
          Classification:mal88.troj.evad.winMSI@11/19@3/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 93
          • Number of non-executed functions: 249
          Cookbook Comments:
          • Found application associated with file extension: .msi
          • Close Viewer

          Warnings

          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 13.89.179.12
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing network information.
          • Report size getting too big, too many NtDeviceIoControlFile calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • VT rate limit hit for: msws.msi

          Simulations

          Behavior and APIs

          TimeTypeDescription
          11:23:00API Interceptor3x Sleep call for process: MSWordServices.exe modified
          11:23:06API Interceptor1x Sleep call for process: WerFault.exe modified
          17:23:01Task SchedulerRun new task: Microsoft Update path: C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          EDIS-AS-EUATMcb5K3TOWT.exeGet hashmaliciousUnknownBrowse
          • 192.36.38.33
          987123.exeGet hashmaliciousLummaC, Eternity Stealer, LummaC Stealer, SmokeLoader, Stealc, zgRATBrowse
          • 192.36.38.33
          16GAuqLUFK.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, StealcBrowse
          • 192.36.38.33
          NBHEkIKDCr.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
          • 192.36.38.33
          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
          • 192.36.38.33
          XqmbvBWVRN.elfGet hashmaliciousMiraiBrowse
          • 37.235.56.176
          Q9WWwskOzG.elfGet hashmaliciousMiraiBrowse
          • 151.236.13.222
          Document_Scan_482.jsGet hashmaliciousIcedIDBrowse
          • 151.236.9.176
          qwb3x7yFdW.elfGet hashmaliciousMiraiBrowse
          • 151.236.13.224

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\64537d8fc3380a4bb24ba512ffb97757.tmpmsas.msiGet hashmaliciousORPCBackdoorBrowse
            MicrosoftEdge.msiGet hashmaliciousORPCBackdoorBrowse
              MicrosoftEdge.msiGet hashmaliciousORPCBackdoorBrowse
                C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe (copy)msas.msiGet hashmaliciousORPCBackdoorBrowse
                  MicrosoftEdge.msiGet hashmaliciousORPCBackdoorBrowse
                    MicrosoftEdge.msiGet hashmaliciousORPCBackdoorBrowse

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSWordServices.e_1aa99ae589ec8d5fef1ee322d61b9f8c687c47cd_1ac15c9b_0eee42af-d448-4f6b-ba43-425a8d78e38b\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.871170992330415
                      Encrypted:false
                      SSDEEP:96:z1FjzepZ/GFKsD4LzxTMbhdQXIDcQvc6QcEVcw3cE/P+HbHggggS/Yy2rLoDIhLm:5k/GFKnB0BU/IjGT1zuiFJZ24IO8j
                      MD5:A1C2B62F3E8E8E0A9D54CB19CC2D85B8
                      SHA1:4BB7F8F5D0BC7ED438D8BD209046EF1D9C39450F
                      SHA-256:3DF3C25C1F096729013C9E0F352DD1971FFEDF44E4D42FA5ECC2001918E2BA1B
                      SHA-512:B2E4C0F09C6B5B5FE3296130B48D56271DB8E346BB54D4B575E4DFF76E50FDB6CCDD0263340D68327EFAF0E9B453D00E4C8D708D97E061A60B0791A8869CC2C9
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.1.4.6.5.8.3.6.6.5.6.7.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.1.4.6.5.8.4.2.1.2.5.6.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.e.e.4.2.a.f.-.d.4.4.8.-.4.f.6.b.-.b.a.4.3.-.4.2.5.a.8.d.7.8.e.3.8.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.d.d.c.e.6.0.-.7.c.2.d.-.4.c.6.2.-.a.e.5.8.-.c.9.c.c.2.a.3.f.1.1.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.W.o.r.d.S.e.r.v.i.c.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.b.c.-.0.0.0.1.-.0.0.1.5.-.9.3.7.4.-.8.0.a.6.d.e.0.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.f.e.5.6.e.4.c.a.3.1.b.c.f.0.5.3.5.6.0.a.6.c.a.e.1.c.7.8.d.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.b.5.5.1.d.d.8.8.a.1.d.3.d.5.f.2.7.7.d.c.1.7.4.f.5.d.9.d.1.1.e.e.e.a.0.d.a.f.b.0.!.M.S.W.o.r.d.S.e.r.v.i.c.e.s...e.x.e.....T.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1243.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Wed Sep 18 15:23:03 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):54108
                      Entropy (8bit):2.2079851219657294
                      Encrypted:false
                      SSDEEP:384:wL87fYpwV5aQMhXto50wrOx1tPr0NztDXrVHsLY+OY6GKlFYt4yoicyVlkcyH1tI:N8p+BJUvBuRg
                      MD5:73C9BA6D6276492CA83E4662E36217ED
                      SHA1:36EF26E59D27F9E5F64049161383AA1C17E2D604
                      SHA-256:1416C548C8466AD7FFC65800AB81045FF4D134D4E232D1750F348DE3E7BD4B3C
                      SHA-512:FCBB1E75AAF3D6E73F841ECEEA9FDB81020F3851440C5AF3FE4DB153BBEC7D1F0B5E4922E7446BC58C177AD661EF820BA845E034169E979ECCB4DCFD49167E98
                      Malicious:false
                      Reputation:low
                      Preview:MDMP..a..... .......W..f........................................p%..........T.......8...........T............'..t...........H...........4...............................................................................eJ..............GenuineIntel............T...........U..f............................. ..9...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1310.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):6344
                      Entropy (8bit):3.7183161449278255
                      Encrypted:false
                      SSDEEP:96:RSIU6o7wVetb0n6lU0Y14xYQE/HXY5aM4U589b0JOsfWjapm:R6l7wVeJ0n6lU0Y14q4pr589bwOsfiwm
                      MD5:00A3E3DF7A49C8AFF3564966B0C1C824
                      SHA1:DD762C9813FD82F4CF419FD836562116671EA73E
                      SHA-256:5E7546C586DA112CD3226A74D4B131D8FD51CC35A023E96F49A5D3B66650590B
                      SHA-512:E804342433984F7D066A489E78DC555DBA2C0A4C8460D7431D99647B81867C08916FA32654EC3367A41C772E2EFA553650B7B8250C8C8BD21F87F09E244450EF
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.6.8.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER135F.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4633
                      Entropy (8bit):4.483739865115084
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zs2CJg77aI9/0WpW8VYjTYm8M4JnlFID+q8TDwq4lSnd:uIjfRI7Ft7VTJERqGSnd
                      MD5:17C1D5F01CC923AB8FAC9ABB7560BAA5
                      SHA1:3C0A49DC47E71CA45BC0A1FC55E26F6AA8AACF62
                      SHA-256:070F50230F9454F5E8CAA9FFEFE6B3EE18A877DF5522BCF9A825678C1FE2939C
                      SHA-512:FE696DB5413E8930E4731C8D40F6109EEEDAE9E9D26BDAA37173D86FF356ADB2E4459BA5E71F2D262BE538DC70CF1849E28FCCB989861A7893F6824C4D997CFD
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="505825" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files.cab

                      Download File
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Microsoft Cabinet archive data, many, 194154 bytes, 2 files, at 0x2c +A "MSWordServices.exe" +A "OLMAPI32.dll", ID 7700, number 1, 14 datablocks, 0x1503 compression
                      Category:dropped
                      Size (bytes):194154
                      Entropy (8bit):7.9987179030742475
                      Encrypted:true
                      SSDEEP:3072:9OT4+QMIx6GSEOOoTItH4chXeKlpV8WhNyfNdulMVpHfIr+ByHoaP:4E+QVAnjOl4ieipV8VTGipHfS+pM
                      MD5:FD02CF1E9CDF834EFAA46940C585BE24
                      SHA1:6D6EDBD6ACC904A57F19B366554938ECB0081FA0
                      SHA-256:5BC187D2BD7F4287D4CA56988E36B4A520A038EC8AC4BD4DC84710535ADC5A5B
                      SHA-512:F952B958ECFD220070F000437AD9553F6647EFAA606E3D84DC65DFBDF03F355B27B24A0B4CAA95A9271E02513D84D363253730717249C03BC9ADC4B4DBB2A8C9
                      Malicious:false
                      Preview:MSCF....j.......,...................l.......`O........v<.. .MSWordServices.exe..\..`O....YW.. .OLMAPI32.dll..S...=..[.....@..."R`4..n....mnuU..t......V=5....j..ykj..4m.u..@..#|......#F.NkR....a ; .=..\.`\..Fd..........N..!...}^..yD...y.w.L......m.B6d.6-.Fm..>.QO...C6...+6.M......>.......f6)fQ..).P.&)Y[m+s..........3.T4.Ene....9.|....&.E..N.Mb..@.c.H._..@.~.u.V."...<Wh4.55.AP..n.-R.O...ow.-.....;.=e.6.Ntm..Mn..]...7M..i.).i.e.5....=.]".!........vd2...BE...A....n...g.}.....g...v.....*.[S6.)....M.J.I..8.S:.4E...."j.D..6.r..$.......m B....c9...A...]a..E.r..#......dt5L=...U..*..A...3.....g..@mq2..EmQ...fTI.G...wv.]....:c..Q.E7.Q....".L..fpi.k2..>.O.i....m...e.q...%}.j;....#...{.*.H.S...f...Z.5k..e..s....Xc....+.i.Q..... 0..nA....\..[..A.\.,..`......,...`t.........p8.|.1.....&.\*.r....(....+..`..p......d.....i.'..|..Z.....x.8>.......^(..sOPJ.T....7.W.....&..0v ..K.1..T`Z...x...`.@9 s..K........Q.R.\..8.Y.....%.4.k..@;......W....8./p........U.....A..?.8z.{.Y0.A.A..we

                      C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\64537d8fc3380a4bb24ba512ffb97757.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\expand.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):151392
                      Entropy (8bit):6.138300167598228
                      Encrypted:false
                      SSDEEP:3072:OdYA7fiLrQoAurtzKmJCtnsk7IIesI0xv9wsOJ6iiEQd86953:KYK9uJKmJCp8sIc3OJX2v1
                      MD5:FC860959580C124E7E4781BB08437681
                      SHA1:B551DD88A1D3D5F277DC174F5D9D11EEEA0DAFB0
                      SHA-256:ECA127142A480FE51E7748159C8D219313A4730D60DC22C4DBBC1BD4D6A67B66
                      SHA-512:ABAB3D964D5E7B1BDF365A429CBC5B48614F4FB64281D5C0A4B0CE0AB3580FA539CA0F33BC4243DBBE5C6649FA0CE1A2A89DE12725A78971001CD768AEB075D2
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: msas.msi, Detection: malicious, Browse
                      • Filename: MicrosoftEdge.msi, Detection: malicious, Browse
                      • Filename: MicrosoftEdge.msi, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,V..h7.[h7.[h7.[veV[i7.[...[i7.[...[i7.[O.[f7.[aOA[k7.[h7.[f5.[.xD[i7.[aOG[`7.[aOQ[v7.[aOF[i7.[aOV[.7.[aO@[i7.[aOC[i7.[Richh7.[................PE..L....@.K.....................v.......x.......................................`.......k....@.............................W............0..t............8..`....@..x...8...8............................5..@...................t...`....................text............................... ..`.data....L.......H..................@....rsrc...t....0......................@..@.reloc..x....@......................@..B................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\2e15b4a5edec4957a683758e4becfe67$dpx$.tmp\840ab06c8b2f5b449385041b6c507ff7.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\expand.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):285696
                      Entropy (8bit):6.56814625756245
                      Encrypted:false
                      SSDEEP:3072:hbp5Y0UEmuigQJch1NUZIeKFEW/HXGdSz6ednKUp4s9tlZR0ysKNCcSfxaTAhY5u:hbri1yl/H9dnK44s9LZREKzDAOTGl
                      MD5:C846EA473366F6022FF676CDFF20A3FB
                      SHA1:4D95AA531CC74C0C5B327B0D9BA66BB381409C26
                      SHA-256:74BA5883D989566A94E7C6C217B17102F054FFBE98BC9C878A7F700F9809E910
                      SHA-512:61DD4C79FFE82A017F328A8410639CF21B4A5A8BB94716815DAAF490DF7B967353D011842B157B24BB5C19A14DA1BA768BFD0D9A96A52A80DF9731F63A6DDE95
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 75%
                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]"2n.C\=.C\=.C\=.1_<.C\=.1Y<.C\=.1X<.C\=.4X<.C\=.4_<.C\=.1Z<.C\=.4Y<SC\=.1]<.C\=.C]=.C\=.4Y<.C\=.4X<.C\=.4\<.C\=.4.=.C\=.C.=.C\=.4^<.C\=Rich.C\=........................PE..L...eG.b...........!.....(...........!.......@............................................@..........................&.......(...................................!..l...................................@............@...............................text....&.......(.................. ..`.rdata..d....@.......,..............@..@.data........@......."..............@....rsrc................4..............@..@.reloc...!......."...:..............@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe (copy)

                      Download File
                      Process:C:\Windows\SysWOW64\expand.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):151392
                      Entropy (8bit):6.138300167598228
                      Encrypted:false
                      SSDEEP:3072:OdYA7fiLrQoAurtzKmJCtnsk7IIesI0xv9wsOJ6iiEQd86953:KYK9uJKmJCp8sIc3OJX2v1
                      MD5:FC860959580C124E7E4781BB08437681
                      SHA1:B551DD88A1D3D5F277DC174F5D9D11EEEA0DAFB0
                      SHA-256:ECA127142A480FE51E7748159C8D219313A4730D60DC22C4DBBC1BD4D6A67B66
                      SHA-512:ABAB3D964D5E7B1BDF365A429CBC5B48614F4FB64281D5C0A4B0CE0AB3580FA539CA0F33BC4243DBBE5C6649FA0CE1A2A89DE12725A78971001CD768AEB075D2
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: msas.msi, Detection: malicious, Browse
                      • Filename: MicrosoftEdge.msi, Detection: malicious, Browse
                      • Filename: MicrosoftEdge.msi, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,V..h7.[h7.[h7.[veV[i7.[...[i7.[...[i7.[O.[f7.[aOA[k7.[h7.[f5.[.xD[i7.[aOG[`7.[aOQ[v7.[aOF[i7.[aOV[.7.[aO@[i7.[aOC[i7.[Richh7.[................PE..L....@.K.....................v.......x.......................................`.......k....@.............................W............0..t............8..`....@..x...8...8............................5..@...................t...`....................text............................... ..`.data....L.......H..................@....rsrc...t....0......................@..@.reloc..x....@......................@..B................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\OLMAPI32.dll (copy)

                      Download File
                      Process:C:\Windows\SysWOW64\expand.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):285696
                      Entropy (8bit):6.56814625756245
                      Encrypted:false
                      SSDEEP:3072:hbp5Y0UEmuigQJch1NUZIeKFEW/HXGdSz6ednKUp4s9tlZR0ysKNCcSfxaTAhY5u:hbri1yl/H9dnK44s9LZREKzDAOTGl
                      MD5:C846EA473366F6022FF676CDFF20A3FB
                      SHA1:4D95AA531CC74C0C5B327B0D9BA66BB381409C26
                      SHA-256:74BA5883D989566A94E7C6C217B17102F054FFBE98BC9C878A7F700F9809E910
                      SHA-512:61DD4C79FFE82A017F328A8410639CF21B4A5A8BB94716815DAAF490DF7B967353D011842B157B24BB5C19A14DA1BA768BFD0D9A96A52A80DF9731F63A6DDE95
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 75%
                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]"2n.C\=.C\=.C\=.1_<.C\=.1Y<.C\=.1X<.C\=.4X<.C\=.4_<.C\=.1Z<.C\=.4Y<SC\=.1]<.C\=.C]=.C\=.4Y<.C\=.4X<.C\=.4\<.C\=.4.=.C\=.C.=.C\=.4^<.C\=Rich.C\=........................PE..L...eG.b...........!.....(...........!.......@............................................@..........................&.......(...................................!..l...................................@............@...............................text....&.......(.................. ..`.rdata..d....@.......,..............@..@.data........@......."..............@....rsrc................4..............@..@.reloc...!......."...:..............@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\msiwrapper.ini

                      Download File
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):509
                      Entropy (8bit):5.297373338785725
                      Encrypted:false
                      SSDEEP:12:bsP6MFMws5EMzbaVRm+PO0++6hzaaVRmIJeIh4:gP6Fws5NbaTWbheafeF
                      MD5:62B76E0E318FD643411DC36A719C9F1F
                      SHA1:B146B70A062CFD55E15E6D2B65CD800853369AF6
                      SHA-256:DCAFF080951DFDBDB848CD6CA519977F0E9187E7F7514840FA48F6214BD669DD
                      SHA-512:091E347BEC2E3E246FC25FAB5F6ABA2858CE69F640D51DD1DE07DB3E8AD7303FBD24DEF23FCBC85511B305AA72411EC7257695C6C1783D75B558CEFD3DF4C0F3
                      Malicious:false
                      Preview:[MSI Wrapper]..WrappedApplicationId={90140000-001B-0409-0000-0000000FF1CE}..InstallSuccessCodes=0..ElevationMode=never..SetupFileName=C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe..SetupParameters=..WorkingDir=..CurrentDir=*FILESDIR*..UILevel=5..Focus=yes..FilesDir=C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\..RunBeforeInstallFile=..RunBeforeInstallParameters=..RunAfterInstallFile=..RunAfterInstallParameters=..

                      C:\Windows\Installer\6ef47a.msi

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Outlook - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 14.0.4760.1000, Subject: Microsoft Outlook - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {6FB667ED-1310-4415-BE99-B57534C2CC51}, Create Time/Date: Fri Jan 3 19:06:10 2020, Last Saved Time/Date: Fri Jan 3 19:06:10 2020, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (9.0.34.0), Security: 2
                      Category:dropped
                      Size (bytes):368640
                      Entropy (8bit):7.333172745854614
                      Encrypted:false
                      SSDEEP:6144:jJdjoxrGSPVWGQw/+QVAnjOl4ieipV8VTGipHfS+p:jvjoxrGS90v48yee8V5HfRp
                      MD5:C13C4C025C5C779D5DC8848EF160D5DA
                      SHA1:D7671D1F301D74AECE0DB320701395A5CD8CF29A
                      SHA-256:BA2E21641A1238A5B30E535BD0940FCD316A6E5242BFDD48A97AAA203D11642B
                      SHA-512:A0459C7732733A9D83D6E1B985CB9A913AB5FE9E30114AA1DD5B198002F36CE84A0E0E318FC60E9FDBD22DAB29734AAFDC50322FFFECA50211D64B206D9ADEE3
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\Installer\MSIF9BA.tmp

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:modified
                      Size (bytes):131584
                      Entropy (8bit):6.342148943947129
                      Encrypted:false
                      SSDEEP:1536:5w0vysoljaMn5znCmFSasPcgsQdYVD9p/KFXS5sqR86P2HJxSz8d3G800kDCfTOC:almeJd9p8txrJES8CV+gYU+pI5jMh
                      MD5:CA93487A24A49E7C0242E4C8F4CA01F5
                      SHA1:17280B78BFE8C89CB719C2353FADC68D07A2C883
                      SHA-256:7D9D48F563BD966C0CF17DD56A92C1C29506F25F10DB655576E2800FB2E7D50D
                      SHA-512:D3E3169F212F61B9D2C0ABF608FB1F8E719B4E905DDF4A11AEDC7D98D9F5E1532893859D13F2AF8590A14277760ACD8E81FBB9213DBE84A55E97FCA329B10C7D
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q5..5T..5T..5T..<,V..T..<,G.$T..<,Q.JT......:T..5T..T..<,X.6T..<,@.4T..<,C.4T..Rich5T..........................PE..L......^...........!.....f...................................................P............@.........................`...]............ .......................0......p...................................@...............(............................text..."d.......f.................. ..`.rdata...d.......f...j..............@..@.data...<,..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................................

                      C:\Windows\Installer\SourceHash{E22E6085-4A70-49E4-B1C5-4305B74C3132}

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.7682554531711178
                      Encrypted:false
                      SSDEEP:12:JSbX72FjdSAGiLIlHVRpzh/7777777777777777777777777vDHFEzVn8p01l0i5:JmQI53Enj8F
                      MD5:E27FF2B793750DD7EAF6663FE617DBD4
                      SHA1:4CA5CA8890172E589B3D05C67293B2EAD5A351BB
                      SHA-256:40EAF38FC0422B95AE421D6213119FA1B58F62FB4818B87751C651D36EC2D494
                      SHA-512:07489C27094E502FF57F7DE86AE5367201FD0C90407CAD9FDA2D94BBC23132498FC993EACBF5DC007DA636277BAC52775422A641832AC51FB26F98E7FBA80289
                      Malicious:false
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\Installer\inprogressinstallinfo.ipi

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):1.2340493685039773
                      Encrypted:false
                      SSDEEP:48:8jquwJveFXJ5T5YXWddSPgrTddSBWrgSrp:Gq+RTuMRqtSrp
                      MD5:44DBC0B20A7536C085B5E65EF433C205
                      SHA1:21E07DEC9C23304FDD3566A02D2D7E8EE5241B0A
                      SHA-256:A2B5583EB6097530F950A56D2A5870047F1DDE4B480DF2A0A854D26E013DF31D
                      SHA-512:2C4E8DD73571BE7086BA2B4ECFA946865056A191B2295FB7BD43D3CDD51833034E37C9584FB65A7AEC7082B7276378BE0AFFBBAACE08AF281757E714B55548E9
                      Malicious:false
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\Logs\DPX\setupact.log

                      Download File
                      Process:C:\Windows\SysWOW64\expand.exe
                      File Type:CSV text
                      Category:dropped
                      Size (bytes):345054
                      Entropy (8bit):4.3862240453517165
                      Encrypted:false
                      SSDEEP:192:0K9KmK9KIK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK73:s
                      MD5:228DD9E7DF00A991995B2584B3EF2C39
                      SHA1:4F0600AA20097AE60582BD7C0D041C8B438EA7F9
                      SHA-256:18D9AF985F89D3FCD6E6E510882E52EC7EAFC1CE1E944CFC0933F88CC5B6C502
                      SHA-512:DE0F4033C541E9E7FC1572778075A8AE8106D1DC884C5A95DA15C3798C080D54ADC9F070DEB56CBD39F251A6DDAC6CE89777D2B851FF9256A308D965104D15F0
                      Malicious:false
                      Preview:.2023-10-03 11:48:47, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX CJob::Resume completed with status: 0x0..2023-10-03 11:48:47, Info DPX Ended DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info

                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):360001
                      Entropy (8bit):5.3630086411334235
                      Encrypted:false
                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaui:zTtbmkExhMJCIpED
                      MD5:9ADAE0FE087B74046768AFD6900C28C7
                      SHA1:3F1BC2AFAA59F73D086151CCB301E4FD41477EC3
                      SHA-256:8E4AEA7A06F545EED13B6456EE2D367A4E36F7C86AC4A7B43F8809681BD36C8A
                      SHA-512:0D56107657DD79453804241AFBDE99EC20C8D13FB0156BFF187B73BC567B49EB83D705C3F95FEF463CA5C5B7EB4A25FBF86E0486BBBE2CA9A3A6D388AFC36B20
                      Malicious:false
                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                      C:\Windows\Temp\~DF5E036ED87243F5CB.TMP

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.06871083664025585
                      Encrypted:false
                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOEzVnhoVky6l0t/:2F0i8n0itFzDHFEzVn101
                      MD5:B484D000E7C1C859D685BC39189C185B
                      SHA1:AFD67EB5271DB938D04BF2E701941F2646FA60AA
                      SHA-256:2CAD4009F267276932965CD57EC99571A99F72B09B5554EAABBDCAAE70EB3E5A
                      SHA-512:C1C7382BF1512527353AE65B5493D25ACF25D422C1410D79211AA49411E44E26EB5349C6CA1491F28967FF27BF00C60640226111F919EDA8AD89DF304FDC0D52
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\Temp\~DFA3A48E71AD02AFAB.TMP

                      Download File
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):81920
                      Entropy (8bit):0.11528723868128912
                      Encrypted:false
                      SSDEEP:24:x0+GNpb/+wY+kJfAebfddipV7kddipVdVgwGPlrkg9SZ+4M:SrpbUrfddSBkddSPgrQX
                      MD5:513359C631D886B3C4B210CC1E8A34D0
                      SHA1:88BA31B07D8F1D7CECF2DD810DF74346C3C157BF
                      SHA-256:FED301153DAB63169E11845DE8E030E39CF62863F9B7DBFB25626037640D9AF3
                      SHA-512:1F16D5C05F9A4C76ABC57B7A647A7EFE999E92303ED25BD4A4DABCA32B004CC66BF8BE5440144A4A57AEF74BF310785773DE483A768CE256EC60A5235EAF7D9E
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      \Device\ConDrv

                      Download File
                      Process:C:\Windows\SysWOW64\expand.exe
                      File Type:ASCII text, with CRLF, CR, LF line terminators
                      Category:dropped
                      Size (bytes):271
                      Entropy (8bit):4.839767001955523
                      Encrypted:false
                      SSDEEP:6:zx3MmSLQHtBXVNsR0PTXkH3JQHwD0DIZJQiOC0n:zK/0HtBFNE0P7kX5D0DYJQiI
                      MD5:F475B90E72335E4500C505952BC0B61F
                      SHA1:4D609DB87FEC8C7135E5029FB05891DDA053A5A7
                      SHA-256:834A1B6EBA62FD66213D4956483F772221A74CCE84295E770E570741C3E76267
                      SHA-512:BA7DA1B6415741E3F9DF36AAC39C4BA8C690FC3CF7FC39E7214188D7F3FFC883944F9C40C478D2092A95BF865027879BF822116CD0CDE13FFE6E3548BFB22240
                      Malicious:false
                      Preview:Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\MSWordServices.exe to Extraction Queue..Adding files\OLMAPI32.dll to Extraction Queue....Expanding Files ........Expanding Files Complete .....2 files total...

                      Static File Info

                      General

                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Outlook - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 14.0.4760.1000, Subject: Microsoft Outlook - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {6FB667ED-1310-4415-BE99-B57534C2CC51}, Create Time/Date: Fri Jan 3 19:06:10 2020, Last Saved Time/Date: Fri Jan 3 19:06:10 2020, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (9.0.34.0), Security: 2
                      Entropy (8bit):7.333172745854614
                      TrID:
                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                      File name:msws.msi
                      File size:368'640 bytes
                      MD5:c13c4c025c5c779d5dc8848ef160d5da
                      SHA1:d7671d1f301d74aece0db320701395a5cd8cf29a
                      SHA256:ba2e21641a1238a5b30e535bd0940fcd316a6e5242bfdd48a97aaa203d11642b
                      SHA512:a0459c7732733a9d83d6e1b985cb9a913ab5fe9e30114aa1dd5b198002f36ce84a0e0e318fc60e9fdbd22dab29734aafdc50322fffeca50211d64b206d9adee3
                      SSDEEP:6144:jJdjoxrGSPVWGQw/+QVAnjOl4ieipV8VTGipHfS+p:jvjoxrGS90v48yee8V5HfRp
                      TLSH:0E74E0923AD9C036C298193F59BAC7963B3A7D355B30D08B77503A6C6E706D1E93A703
                      File Content Preview:........................>......................................................................................................................................................................................................................................

                      File Icon

                      Icon Hash:2d2e3797b32b2b99

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 18, 2024 17:23:02.094109058 CEST49711443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.094157934 CEST44349711151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.094295025 CEST49711443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.136614084 CEST49711443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.136646032 CEST44349711151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.136811972 CEST44349711151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.137588978 CEST49712443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.137619019 CEST44349712151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.137687922 CEST49712443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.137799025 CEST49712443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.137811899 CEST44349712151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.137892008 CEST44349712151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.138880968 CEST49713443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.138927937 CEST44349713151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.138988018 CEST49713443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.139081001 CEST49713443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.139091015 CEST44349713151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.139158010 CEST44349713151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.139707088 CEST49714443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.139714956 CEST44349714151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.139779091 CEST49714443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.139842987 CEST49714443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.139849901 CEST44349714151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.139904022 CEST44349714151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.140782118 CEST49715443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.140803099 CEST44349715151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.140856981 CEST49715443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.140949965 CEST49715443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.140957117 CEST44349715151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.141001940 CEST44349715151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.141621113 CEST49716443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.141644001 CEST44349716151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.141697884 CEST49716443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.141768932 CEST49716443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.141776085 CEST44349716151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.141822100 CEST44349716151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.142544985 CEST49717443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.142606974 CEST44349717151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.142663956 CEST49717443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.142755985 CEST49717443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.142771959 CEST44349717151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.142806053 CEST44349717151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.143404007 CEST49718443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.143416882 CEST44349718151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.143466949 CEST49718443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.143575907 CEST49718443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.143591881 CEST44349718151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.143647909 CEST44349718151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.144397974 CEST49719443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.144407988 CEST44349719151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.144469023 CEST49719443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.144567966 CEST49719443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.144572973 CEST44349719151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.144622087 CEST44349719151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.145155907 CEST49720443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.145184994 CEST44349720151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.145246029 CEST49720443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.145317078 CEST49720443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.145327091 CEST44349720151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.145370007 CEST44349720151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.146151066 CEST49721443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.146178961 CEST44349721151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.146229029 CEST49721443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.146389008 CEST49721443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.146401882 CEST44349721151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.146449089 CEST44349721151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.146980047 CEST49722443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.147006035 CEST44349722151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.147058010 CEST49722443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.147144079 CEST49722443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.147159100 CEST44349722151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.147201061 CEST44349722151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.148027897 CEST49723443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.148036957 CEST44349723151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.148092031 CEST49723443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.148185968 CEST49723443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.148199081 CEST44349723151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.148258924 CEST44349723151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.148854017 CEST49724443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.148917913 CEST44349724151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.148988008 CEST49724443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.149091005 CEST49724443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.149116993 CEST44349724151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.149174929 CEST44349724151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.149967909 CEST49725443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.149993896 CEST44349725151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.150046110 CEST49725443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.150150061 CEST49725443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.150162935 CEST44349725151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.150209904 CEST44349725151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.150768995 CEST49726443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.150777102 CEST44349726151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.150824070 CEST49726443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.150887012 CEST49726443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.150892019 CEST44349726151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.150938034 CEST44349726151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.151724100 CEST49727443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.151746988 CEST44349727151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.151815891 CEST49727443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.151910067 CEST49727443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.151927948 CEST44349727151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.151989937 CEST44349727151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.152527094 CEST49728443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.152534962 CEST44349728151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.152590036 CEST49728443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.152698994 CEST49728443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.152709961 CEST44349728151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.152754068 CEST44349728151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.153512955 CEST49729443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.153538942 CEST44349729151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.153618097 CEST49729443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.153673887 CEST49729443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.153688908 CEST44349729151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.153738022 CEST44349729151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.154227018 CEST49730443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.154243946 CEST44349730151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.154288054 CEST49730443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.154370070 CEST49730443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.154397011 CEST44349730151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.154452085 CEST44349730151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.155189991 CEST49731443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.155199051 CEST44349731151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.155260086 CEST49731443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.155347109 CEST49731443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.155354023 CEST44349731151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.155405998 CEST44349731151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.156012058 CEST49732443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.156032085 CEST44349732151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.156099081 CEST49732443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.156161070 CEST49732443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.156187057 CEST44349732151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.156227112 CEST44349732151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.156969070 CEST49733443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.156980038 CEST44349733151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.157032013 CEST49733443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.157090902 CEST49733443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.157095909 CEST44349733151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.157144070 CEST44349733151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.157696009 CEST49734443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.157704115 CEST44349734151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.157749891 CEST49734443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.157816887 CEST49734443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.157820940 CEST44349734151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.157850027 CEST44349734151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.158597946 CEST49735443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.158622980 CEST44349735151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.158684969 CEST49735443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.158807039 CEST49735443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.158822060 CEST44349735151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.158881903 CEST44349735151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.159405947 CEST49736443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.159430027 CEST44349736151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.159488916 CEST49736443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.159568071 CEST49736443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.159574986 CEST44349736151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.159616947 CEST44349736151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.160342932 CEST49737443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.160351992 CEST44349737151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.160406113 CEST49737443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.160474062 CEST49737443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.160484076 CEST44349737151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.160531044 CEST44349737151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.161111116 CEST49738443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.161118031 CEST44349738151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.161170959 CEST49738443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.161232948 CEST49738443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.161240101 CEST44349738151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.161297083 CEST44349738151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.162060022 CEST49739443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.162084103 CEST44349739151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.162134886 CEST49739443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.162190914 CEST49739443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.162199020 CEST44349739151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.162277937 CEST44349739151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.162786961 CEST49740443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.162813902 CEST44349740151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.162866116 CEST49740443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.162935972 CEST49740443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.162942886 CEST44349740151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.162995100 CEST44349740151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.163702965 CEST49741443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.163743973 CEST44349741151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.163816929 CEST49741443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.163911104 CEST49741443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.163924932 CEST44349741151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.163965940 CEST44349741151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.164755106 CEST49742443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.164766073 CEST44349742151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.164815903 CEST49742443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.164978027 CEST49742443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.164995909 CEST44349742151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.165043116 CEST44349742151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.166094065 CEST49743443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.166115046 CEST44349743151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.166158915 CEST49743443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.166394949 CEST49743443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.166409969 CEST44349743151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.166462898 CEST44349743151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.167253017 CEST49744443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.167260885 CEST44349744151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.167351007 CEST49744443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.167504072 CEST49744443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.167512894 CEST44349744151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.167568922 CEST44349744151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.168461084 CEST49745443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.168488026 CEST44349745151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.168565035 CEST49745443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.168793917 CEST49745443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.168811083 CEST44349745151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.168859959 CEST44349745151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.169708014 CEST49746443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.169728994 CEST44349746151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.169837952 CEST49746443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.169914961 CEST49746443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.169929981 CEST44349746151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.169986963 CEST44349746151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.171219110 CEST49747443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.171226978 CEST44349747151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.171269894 CEST49747443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.171343088 CEST49747443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.171348095 CEST44349747151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.171428919 CEST44349747151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.172251940 CEST49748443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.172272921 CEST44349748151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.172331095 CEST49748443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.172452927 CEST49748443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.172465086 CEST44349748151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.172512054 CEST44349748151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.173510075 CEST49749443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.173538923 CEST44349749151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.173588037 CEST49749443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.173820972 CEST49749443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.173837900 CEST44349749151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.173877001 CEST44349749151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.174841881 CEST49750443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.174854994 CEST44349750151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.174909115 CEST49750443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.174968958 CEST49750443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.174978018 CEST44349750151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.175017118 CEST44349750151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.176141024 CEST49751443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.176172018 CEST44349751151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.176321030 CEST49751443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.176321030 CEST49751443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.176341057 CEST44349751151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.176418066 CEST44349751151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.177386045 CEST49752443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.177422047 CEST44349752151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.177474976 CEST49752443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.177767992 CEST49752443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.177784920 CEST44349752151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.177824974 CEST44349752151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.179147959 CEST49753443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.179179907 CEST44349753151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.179235935 CEST49753443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.179335117 CEST49753443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.179347992 CEST44349753151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.179413080 CEST44349753151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.180259943 CEST49754443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.180269957 CEST44349754151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.180315971 CEST49754443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.180383921 CEST49754443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.180392981 CEST44349754151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.180443048 CEST44349754151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.181432962 CEST49755443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.181457996 CEST44349755151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.181516886 CEST49755443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.181701899 CEST49755443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.181716919 CEST44349755151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.181761026 CEST44349755151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.189843893 CEST49756443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.189858913 CEST44349756151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.189903975 CEST49756443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.189999104 CEST49756443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.190011978 CEST44349756151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.190063000 CEST44349756151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.190830946 CEST49757443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.190862894 CEST44349757151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.190915108 CEST49757443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.191014051 CEST49757443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.191026926 CEST44349757151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.191082954 CEST44349757151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.191773891 CEST49758443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.191785097 CEST44349758151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.191832066 CEST49758443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.191916943 CEST49758443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.191926956 CEST44349758151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.191977024 CEST44349758151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.192717075 CEST49759443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.192728996 CEST44349759151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.192783117 CEST49759443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.192868948 CEST49759443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.192878962 CEST44349759151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.192924023 CEST44349759151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.193444967 CEST49760443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.193453074 CEST44349760151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.193506002 CEST49760443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.193614006 CEST49760443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.193624973 CEST44349760151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.193670988 CEST44349760151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.194350958 CEST49761443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.194364071 CEST44349761151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.194416046 CEST49761443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.194468021 CEST49761443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.194473982 CEST44349761151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.194533110 CEST44349761151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.195007086 CEST49762443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.195015907 CEST44349762151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.195074081 CEST49762443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.195132971 CEST49762443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.195137978 CEST44349762151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.195169926 CEST44349762151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.196039915 CEST49763443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.196050882 CEST44349763151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.196113110 CEST49763443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.196168900 CEST49763443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.196173906 CEST44349763151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.196219921 CEST44349763151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.196809053 CEST49764443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.196835995 CEST44349764151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.196887016 CEST49764443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.196959019 CEST49764443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.196973085 CEST44349764151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.197015047 CEST44349764151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.197731972 CEST49765443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.197765112 CEST44349765151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.197805882 CEST49765443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.197875023 CEST49765443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.197882891 CEST44349765151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.197918892 CEST44349765151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.198398113 CEST49766443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.198412895 CEST44349766151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.198471069 CEST49766443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.198589087 CEST49766443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.198602915 CEST44349766151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.198646069 CEST44349766151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.199377060 CEST49767443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.199399948 CEST44349767151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.199457884 CEST49767443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.199534893 CEST49767443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.199546099 CEST44349767151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.199637890 CEST44349767151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.200242996 CEST49768443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.200261116 CEST44349768151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.200365067 CEST49768443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.200365067 CEST49768443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.200381994 CEST44349768151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.200473070 CEST44349768151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.201184034 CEST49769443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.201206923 CEST44349769151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.201267004 CEST49769443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.201319933 CEST49769443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.201328993 CEST44349769151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.201374054 CEST44349769151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.201872110 CEST49770443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.201879978 CEST44349770151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.201921940 CEST49770443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.201987982 CEST49770443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.201993942 CEST44349770151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.202029943 CEST44349770151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.202714920 CEST49771443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.202728987 CEST44349771151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.202789068 CEST49771443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.202886105 CEST49771443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.202894926 CEST44349771151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.202933073 CEST44349771151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.203408003 CEST49772443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.203418970 CEST44349772151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.203466892 CEST49772443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.203535080 CEST49772443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.203540087 CEST44349772151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.203583956 CEST44349772151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.204288006 CEST49773443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.204319954 CEST44349773151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.204401970 CEST49773443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.204469919 CEST49773443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.204492092 CEST44349773151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.204607010 CEST44349773151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.205173016 CEST49774443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.205192089 CEST44349774151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.205261946 CEST49774443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.205360889 CEST49774443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.205374956 CEST44349774151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.205430031 CEST44349774151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.206132889 CEST49775443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.206140995 CEST44349775151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.206187963 CEST49775443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.206267118 CEST49775443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.206273079 CEST44349775151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.206302881 CEST44349775151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.206792116 CEST49776443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.206821918 CEST44349776151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.206922054 CEST49776443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.207009077 CEST49776443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.207017899 CEST44349776151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.207061052 CEST44349776151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.207807064 CEST49777443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.207853079 CEST44349777151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.207911015 CEST49777443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.208046913 CEST49777443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.208067894 CEST44349777151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.208108902 CEST44349777151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.208688974 CEST49778443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.208713055 CEST44349778151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.208767891 CEST49778443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.208837986 CEST49778443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.208848000 CEST44349778151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.208880901 CEST44349778151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.209593058 CEST49779443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.209602118 CEST44349779151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.209649086 CEST49779443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.209743977 CEST49779443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.209752083 CEST44349779151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.209793091 CEST44349779151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.210272074 CEST49780443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.210293055 CEST44349780151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.210340977 CEST49780443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.210431099 CEST49780443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.210438013 CEST44349780151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.210484982 CEST44349780151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.211200953 CEST49781443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.211210012 CEST44349781151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.211280107 CEST49781443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.211424112 CEST49781443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.211435080 CEST44349781151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.211484909 CEST44349781151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.212074995 CEST49782443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.212081909 CEST44349782151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.212135077 CEST49782443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.212199926 CEST49782443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.212205887 CEST44349782151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.212265015 CEST44349782151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.213058949 CEST49783443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.213074923 CEST44349783151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.213124037 CEST49783443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.213190079 CEST49783443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.213196993 CEST44349783151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.213248968 CEST44349783151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.213911057 CEST49784443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.213931084 CEST44349784151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.214009047 CEST49784443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.214112997 CEST49784443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.214126110 CEST44349784151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.214181900 CEST44349784151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.214979887 CEST49785443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.215006113 CEST44349785151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.215063095 CEST49785443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.215172052 CEST49785443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.215184927 CEST44349785151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.215231895 CEST44349785151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.215780973 CEST49786443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.215791941 CEST44349786151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.215863943 CEST49786443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.215950966 CEST49786443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.215961933 CEST44349786151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.216011047 CEST44349786151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.216842890 CEST49787443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.216861963 CEST44349787151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.216938019 CEST49787443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.217020035 CEST49787443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.217032909 CEST44349787151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.217088938 CEST44349787151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.217731953 CEST49788443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.217771053 CEST44349788151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.217828035 CEST49788443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.217900038 CEST49788443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.217910051 CEST44349788151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.217947960 CEST44349788151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.218785048 CEST49789443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.218811035 CEST44349789151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.218861103 CEST49789443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.218939066 CEST49789443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.218957901 CEST44349789151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.219007969 CEST44349789151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.219772100 CEST49790443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.219784975 CEST44349790151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.219927073 CEST49790443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.219994068 CEST49790443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.220002890 CEST44349790151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.220046043 CEST44349790151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.220860958 CEST49791443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.220875978 CEST44349791151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.220984936 CEST49791443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.221028090 CEST49791443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.221050024 CEST44349791151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.221095085 CEST44349791151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.221707106 CEST49792443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.221714973 CEST44349792151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.221776962 CEST49792443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.221858025 CEST49792443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.221863985 CEST44349792151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.221894026 CEST44349792151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.222740889 CEST49793443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.222771883 CEST44349793151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.222834110 CEST49793443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.222958088 CEST49793443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.222971916 CEST44349793151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.223026991 CEST44349793151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.223692894 CEST49794443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.223706007 CEST44349794151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.223761082 CEST49794443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.223829985 CEST49794443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.223836899 CEST44349794151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.223871946 CEST44349794151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.224745989 CEST49795443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.224752903 CEST44349795151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.224822044 CEST49795443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.224906921 CEST49795443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.224915981 CEST44349795151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.224952936 CEST44349795151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.225558043 CEST49796443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.225595951 CEST44349796151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.225647926 CEST49796443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.225725889 CEST49796443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.225739956 CEST44349796151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.225769997 CEST44349796151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.226605892 CEST49797443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.226638079 CEST44349797151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.226788044 CEST49797443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.226811886 CEST49797443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.226819038 CEST44349797151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.226900101 CEST44349797151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.227524996 CEST49798443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.227543116 CEST44349798151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.227592945 CEST49798443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.227689981 CEST49798443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.227703094 CEST44349798151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.227778912 CEST44349798151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.228647947 CEST49799443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.228687048 CEST44349799151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.228744984 CEST49799443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.228813887 CEST49799443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.228826046 CEST44349799151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.228939056 CEST44349799151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.229648113 CEST49800443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.229666948 CEST44349800151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.229814053 CEST49800443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.229814053 CEST49800443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.229842901 CEST44349800151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.229913950 CEST44349800151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.230758905 CEST49801443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.230789900 CEST44349801151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.230840921 CEST49801443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.230910063 CEST49801443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.230922937 CEST44349801151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.230962038 CEST44349801151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.231564999 CEST49802443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.231580019 CEST44349802151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.231645107 CEST49802443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.231731892 CEST49802443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.231744051 CEST44349802151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.231787920 CEST44349802151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.232644081 CEST49803443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.232670069 CEST44349803151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.232789040 CEST49803443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.232891083 CEST49803443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.232902050 CEST44349803151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.232945919 CEST44349803151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.233541012 CEST49804443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.233550072 CEST44349804151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.233612061 CEST49804443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.233684063 CEST49804443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.233690977 CEST44349804151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.233726025 CEST44349804151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.234544039 CEST49805443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.234565020 CEST44349805151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.234635115 CEST49805443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.234724045 CEST49805443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.234749079 CEST44349805151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.234785080 CEST44349805151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.235410929 CEST49806443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.235428095 CEST44349806151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.235491037 CEST49806443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.235563040 CEST49806443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.235577106 CEST44349806151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.235610008 CEST44349806151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.236474991 CEST49807443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.236481905 CEST44349807151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.236534119 CEST49807443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.236599922 CEST49807443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.236608028 CEST44349807151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.236644983 CEST44349807151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.237297058 CEST49808443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.237329960 CEST44349808151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.237405062 CEST49808443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.237452984 CEST49808443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.237459898 CEST44349808151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.237495899 CEST44349808151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.238277912 CEST49809443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.238322973 CEST44349809151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.238383055 CEST49809443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.238460064 CEST49809443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.238476992 CEST44349809151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.238514900 CEST44349809151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.239110947 CEST49810443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.239134073 CEST44349810151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.239186049 CEST49810443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.239281893 CEST49810443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.239299059 CEST44349810151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.239336967 CEST44349810151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.240166903 CEST49811443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.240197897 CEST44349811151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.240250111 CEST49811443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.240319967 CEST49811443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.240328074 CEST44349811151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.240360022 CEST44349811151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.240978956 CEST49812443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.241005898 CEST44349812151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.241064072 CEST49812443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.241148949 CEST49812443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.241162062 CEST44349812151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.241178036 CEST44349812151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.242008924 CEST49813443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.242017031 CEST44349813151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.242079020 CEST49813443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.242151022 CEST49813443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.242161989 CEST44349813151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.242181063 CEST44349813151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.243009090 CEST49814443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.243016005 CEST44349814151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.243067026 CEST49814443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.243180990 CEST49814443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.243189096 CEST44349814151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.243207932 CEST44349814151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.244601965 CEST49815443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.244620085 CEST44349815151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.244676113 CEST49815443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.244765043 CEST49815443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.244774103 CEST44349815151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.244791985 CEST44349815151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.245682001 CEST49816443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.245703936 CEST44349816151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.245768070 CEST49816443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.245933056 CEST49816443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.245954037 CEST44349816151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.245986938 CEST44349816151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.247268915 CEST49817443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.247282982 CEST44349817151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.247325897 CEST49817443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.247509956 CEST49817443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.247522116 CEST44349817151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.247575045 CEST44349817151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.248092890 CEST49818443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.248100996 CEST44349818151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.248145103 CEST49818443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.248275995 CEST49818443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.248286963 CEST44349818151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.248307943 CEST44349818151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.249428988 CEST49819443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.249453068 CEST44349819151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.249511003 CEST49819443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.249582052 CEST49819443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.249608040 CEST44349819151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.249630928 CEST44349819151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.250498056 CEST49820443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.250535965 CEST44349820151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.250586987 CEST49820443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.250703096 CEST49820443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.250718117 CEST44349820151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.250735998 CEST44349820151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.251580000 CEST49821443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.251607895 CEST44349821151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.251662970 CEST49821443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.251852989 CEST49821443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.251864910 CEST44349821151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.251888037 CEST44349821151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.252530098 CEST49822443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.252551079 CEST44349822151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.252610922 CEST49822443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.252688885 CEST49822443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.252700090 CEST44349822151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.252720118 CEST44349822151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.253906012 CEST49823443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.253920078 CEST44349823151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.253982067 CEST49823443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.254111052 CEST49823443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.254122019 CEST44349823151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.254143953 CEST44349823151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.254983902 CEST49824443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.254992008 CEST44349824151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.255043030 CEST49824443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.255145073 CEST49824443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.255155087 CEST44349824151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.255173922 CEST44349824151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.256426096 CEST49825443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.256448984 CEST44349825151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.256493092 CEST49825443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.256593943 CEST49825443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.256604910 CEST44349825151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.256628990 CEST44349825151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.257565022 CEST49826443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.257579088 CEST44349826151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.257699013 CEST49826443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.257757902 CEST49826443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.257767916 CEST44349826151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.257788897 CEST44349826151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.259100914 CEST49827443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.259109974 CEST44349827151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.259151936 CEST49827443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.259357929 CEST49827443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.259375095 CEST44349827151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.259402037 CEST44349827151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.260328054 CEST49828443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.260351896 CEST44349828151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.260411978 CEST49828443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.260492086 CEST49828443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.260515928 CEST44349828151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.260541916 CEST44349828151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.261671066 CEST49829443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.261683941 CEST44349829151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.261734009 CEST49829443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.261801958 CEST49829443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.261812925 CEST44349829151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.261831999 CEST44349829151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.262401104 CEST49830443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.262408972 CEST44349830151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.262460947 CEST49830443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.262542963 CEST49830443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.262552023 CEST44349830151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.262568951 CEST44349830151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.263251066 CEST49831443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.263268948 CEST44349831151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.263343096 CEST49831443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.263436079 CEST49831443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.263454914 CEST44349831151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.263479948 CEST44349831151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.263945103 CEST49832443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.263967991 CEST44349832151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.264027119 CEST49832443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.264103889 CEST49832443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.264116049 CEST44349832151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.264137983 CEST44349832151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.264780045 CEST49833443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.264789104 CEST44349833151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.264853001 CEST49833443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.264931917 CEST49833443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.264942884 CEST44349833151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.264960051 CEST44349833151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.265403032 CEST49834443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.265408993 CEST44349834151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.265465021 CEST49834443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.265542030 CEST49834443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.265552044 CEST44349834151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.265567064 CEST44349834151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.266199112 CEST49835443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.266212940 CEST44349835151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.266274929 CEST49835443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.266354084 CEST49835443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.266365051 CEST44349835151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.266383886 CEST44349835151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.266813993 CEST49836443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.266848087 CEST44349836151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.266902924 CEST49836443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.266977072 CEST49836443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.266989946 CEST44349836151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.267009020 CEST44349836151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.267635107 CEST49837443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.267673969 CEST44349837151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.267739058 CEST49837443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.267893076 CEST49837443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.267915010 CEST44349837151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.267931938 CEST44349837151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.268381119 CEST49838443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.268399954 CEST44349838151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.268457890 CEST49838443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.268533945 CEST49838443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.268548965 CEST44349838151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.268564939 CEST44349838151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.269198895 CEST49839443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.269218922 CEST44349839151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.269273996 CEST49839443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.269360065 CEST49839443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.269371986 CEST44349839151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.269403934 CEST44349839151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.269839048 CEST49840443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.269845963 CEST44349840151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.269900084 CEST49840443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.269992113 CEST49840443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.270000935 CEST44349840151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.270016909 CEST44349840151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.270652056 CEST49841443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.270670891 CEST44349841151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.270741940 CEST49841443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.270817041 CEST49841443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.270843983 CEST44349841151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.270854950 CEST44349841151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.271291971 CEST49842443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.271307945 CEST44349842151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.271377087 CEST49842443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.271454096 CEST49842443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.271478891 CEST44349842151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.271502018 CEST44349842151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.272119045 CEST49843443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.272128105 CEST44349843151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.272181988 CEST49843443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.272260904 CEST49843443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.272269011 CEST44349843151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.272284031 CEST44349843151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.272810936 CEST49844443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.272825003 CEST44349844151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.272952080 CEST49844443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.272952080 CEST49844443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.272972107 CEST44349844151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.272994041 CEST44349844151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.273597956 CEST49845443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.273606062 CEST44349845151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.273667097 CEST49845443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.273755074 CEST49845443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.273766041 CEST44349845151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.273785114 CEST44349845151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.274362087 CEST49846443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.274370909 CEST44349846151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.274425030 CEST49846443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.274641037 CEST49846443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.274652004 CEST44349846151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.274669886 CEST44349846151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.275780916 CEST49847443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.275794983 CEST44349847151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.275899887 CEST49847443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.276046991 CEST49847443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.276065111 CEST44349847151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.276079893 CEST44349847151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.276943922 CEST49848443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.276978016 CEST44349848151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.277029037 CEST49848443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.277230024 CEST49848443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.277250051 CEST44349848151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.277266979 CEST44349848151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.278548956 CEST49849443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.278578043 CEST44349849151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.278626919 CEST49849443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.278826952 CEST49849443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.278839111 CEST44349849151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.278851032 CEST44349849151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.279809952 CEST49850443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.279819965 CEST44349850151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.279870033 CEST49850443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.279951096 CEST49850443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.279959917 CEST44349850151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.279978037 CEST44349850151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.281342983 CEST49851443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.281375885 CEST44349851151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.281424999 CEST49851443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.281559944 CEST49851443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.281579018 CEST44349851151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.281596899 CEST44349851151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.282571077 CEST49852443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.282581091 CEST44349852151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.282634974 CEST49852443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.282917976 CEST49852443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.282932043 CEST44349852151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.282948017 CEST44349852151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.284241915 CEST49853443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.284266949 CEST44349853151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.284327030 CEST49853443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.284446001 CEST49853443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.284457922 CEST44349853151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.284472942 CEST44349853151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.285279989 CEST49854443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.285290956 CEST44349854151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.285343885 CEST49854443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.285526037 CEST49854443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.285537004 CEST44349854151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.285551071 CEST44349854151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.286825895 CEST49855443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.286833048 CEST44349855151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.286925077 CEST49855443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.287034988 CEST49855443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.287046909 CEST44349855151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.287065029 CEST44349855151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.287887096 CEST49856443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.287919998 CEST44349856151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.287976027 CEST49856443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.288248062 CEST49856443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.288266897 CEST44349856151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.288286924 CEST44349856151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.289309978 CEST49857443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.289345026 CEST44349857151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.289422989 CEST49857443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.289540052 CEST49857443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.289555073 CEST44349857151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.289567947 CEST44349857151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.290431976 CEST49858443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.290448904 CEST44349858151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.290493011 CEST49858443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.290628910 CEST49858443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.290641069 CEST44349858151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.290653944 CEST44349858151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.291793108 CEST49859443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.291825056 CEST44349859151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.291871071 CEST49859443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.291971922 CEST49859443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.291990995 CEST44349859151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.292010069 CEST44349859151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.292803049 CEST49860443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.292809963 CEST44349860151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.292854071 CEST49860443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.292943001 CEST49860443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.292951107 CEST44349860151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.292968035 CEST44349860151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.294229031 CEST49861443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.294250965 CEST44349861151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.294295073 CEST49861443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.294517994 CEST49861443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.294527054 CEST44349861151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.294549942 CEST44349861151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.295499086 CEST49862443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.295511961 CEST44349862151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.295562029 CEST49862443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.295639038 CEST49862443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.295646906 CEST44349862151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.295669079 CEST44349862151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.296951056 CEST49863443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.296958923 CEST44349863151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.297005892 CEST49863443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.297116041 CEST49863443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.297123909 CEST44349863151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.297149897 CEST44349863151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.298021078 CEST49864443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.298039913 CEST44349864151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.298079967 CEST49864443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.298147917 CEST49864443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.298156977 CEST44349864151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.298177004 CEST44349864151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.299774885 CEST49865443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.299808025 CEST44349865151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.299876928 CEST49865443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.299947977 CEST49865443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.299973011 CEST44349865151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.300000906 CEST44349865151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.300885916 CEST49866443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.300904989 CEST44349866151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.300968885 CEST49866443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.301137924 CEST49866443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.301162004 CEST44349866151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.301183939 CEST44349866151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.302364111 CEST49867443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.302372932 CEST44349867151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.302418947 CEST49867443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.302475929 CEST49867443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.302484989 CEST44349867151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.302500010 CEST44349867151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.303380966 CEST49868443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.303405046 CEST44349868151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.303477049 CEST49868443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.303716898 CEST49868443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.303730965 CEST44349868151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.303745985 CEST44349868151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.305339098 CEST49869443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.305358887 CEST44349869151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.305413961 CEST49869443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.305495977 CEST49869443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.305509090 CEST44349869151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.305526972 CEST44349869151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.306421995 CEST49870443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.306432009 CEST44349870151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.306483030 CEST49870443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.306647062 CEST49870443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.306658030 CEST44349870151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.306674957 CEST44349870151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.307946920 CEST49871443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.307965040 CEST44349871151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.308095932 CEST49871443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.308166027 CEST49871443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.308176994 CEST44349871151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.308191061 CEST44349871151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.309153080 CEST49872443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.309176922 CEST44349872151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.309231997 CEST49872443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.309494972 CEST49872443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.309508085 CEST44349872151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.309521914 CEST44349872151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.311029911 CEST49873443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.311044931 CEST44349873151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.311106920 CEST49873443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.311177015 CEST49873443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.311189890 CEST44349873151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.311206102 CEST44349873151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.312236071 CEST49874443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.312244892 CEST44349874151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.312294960 CEST49874443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.312364101 CEST49874443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.312376022 CEST44349874151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.312391043 CEST44349874151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.313504934 CEST49875443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.313520908 CEST44349875151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.313560009 CEST49875443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.313659906 CEST49875443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.313669920 CEST44349875151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.313683033 CEST44349875151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.314480066 CEST49876443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.314512968 CEST44349876151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.314560890 CEST49876443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.314666033 CEST49876443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.314677954 CEST44349876151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.314692020 CEST44349876151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.315727949 CEST49877443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.315783024 CEST44349877151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.315834999 CEST49877443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.316004038 CEST49877443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.316024065 CEST44349877151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.316042900 CEST44349877151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.316658020 CEST49878443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.316670895 CEST44349878151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.316735029 CEST49878443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.316894054 CEST49878443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.316909075 CEST44349878151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.316925049 CEST44349878151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.318027020 CEST49879443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.318037987 CEST44349879151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.318085909 CEST49879443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.318202019 CEST49879443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.318211079 CEST44349879151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.318233013 CEST44349879151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.319133997 CEST49880443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.319145918 CEST44349880151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.319189072 CEST49880443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.319271088 CEST49880443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.319283009 CEST44349880151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.319299936 CEST44349880151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.320390940 CEST49881443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.320409060 CEST44349881151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.320456982 CEST49881443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.320590019 CEST49881443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.320609093 CEST44349881151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.320632935 CEST44349881151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.325544119 CEST49882443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.325562000 CEST44349882151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.325674057 CEST49882443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.325864077 CEST49882443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.325882912 CEST44349882151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.325903893 CEST44349882151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.327156067 CEST49883443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.327199936 CEST44349883151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.327303886 CEST49883443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.327330112 CEST49883443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.327337027 CEST44349883151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.327364922 CEST44349883151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.328217983 CEST49884443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.328247070 CEST44349884151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.328304052 CEST49884443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.328444958 CEST49884443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.328485966 CEST44349884151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.328509092 CEST44349884151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.329618931 CEST49885443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.329633951 CEST44349885151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.329674959 CEST49885443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.329874039 CEST49885443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.329885006 CEST44349885151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.329900026 CEST44349885151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.330822945 CEST49886443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.330832005 CEST44349886151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.330878973 CEST49886443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.331166983 CEST49886443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.331176043 CEST44349886151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.331191063 CEST44349886151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.332400084 CEST49887443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.332418919 CEST44349887151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.332489967 CEST49887443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.332660913 CEST49887443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.332684994 CEST44349887151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.332706928 CEST44349887151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.333610058 CEST49888443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.333628893 CEST44349888151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.333688021 CEST49888443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.333831072 CEST49888443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.333854914 CEST44349888151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.333878994 CEST44349888151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.335236073 CEST49889443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.335243940 CEST44349889151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.335294008 CEST49889443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.335375071 CEST49889443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.335385084 CEST44349889151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.335406065 CEST44349889151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.336621046 CEST49890443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.336627960 CEST44349890151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.336673021 CEST49890443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.336844921 CEST49890443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.336853981 CEST44349890151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.336874962 CEST44349890151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.338188887 CEST49891443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.338211060 CEST44349891151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.338277102 CEST49891443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.338445902 CEST49891443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.338469982 CEST44349891151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.338495016 CEST44349891151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.339380980 CEST49892443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.339401007 CEST44349892151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.339454889 CEST49892443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.339634895 CEST49892443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.339649916 CEST44349892151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.339668989 CEST44349892151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.340954065 CEST49893443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.340970039 CEST44349893151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.341048956 CEST49893443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.341331005 CEST49893443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.341344118 CEST44349893151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.341360092 CEST44349893151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.342308998 CEST49894443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.342334986 CEST44349894151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.342499971 CEST49894443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.342531919 CEST49894443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.342539072 CEST44349894151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.342557907 CEST44349894151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.343425989 CEST49895443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.343436956 CEST44349895151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.343485117 CEST49895443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.343614101 CEST49895443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.343626976 CEST44349895151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.343646049 CEST44349895151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.344568968 CEST49896443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.344602108 CEST44349896151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.344647884 CEST49896443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.344763994 CEST49896443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.344774961 CEST44349896151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.344791889 CEST44349896151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.345890045 CEST49897443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.345940113 CEST44349897151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.346004009 CEST49897443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.346064091 CEST49897443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.346081972 CEST44349897151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.346101999 CEST44349897151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.346611977 CEST49898443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.346623898 CEST44349898151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.346685886 CEST49898443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.346767902 CEST49898443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.346781969 CEST44349898151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.346801043 CEST44349898151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.347429991 CEST49899443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.347439051 CEST44349899151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.347506046 CEST49899443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.347579002 CEST49899443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.347588062 CEST44349899151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.347604990 CEST44349899151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.348052979 CEST49900443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.348078966 CEST44349900151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.348140001 CEST49900443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.348221064 CEST49900443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.348232985 CEST44349900151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.348249912 CEST44349900151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.348906040 CEST49901443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.348918915 CEST44349901151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.348989964 CEST49901443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.349066019 CEST49901443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.349078894 CEST44349901151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.349098921 CEST44349901151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.349540949 CEST49902443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.349546909 CEST44349902151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.349607944 CEST49902443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.349684000 CEST49902443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.349695921 CEST44349902151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.349715948 CEST44349902151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.350336075 CEST49903443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.350347996 CEST44349903151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.350402117 CEST49903443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.350490093 CEST49903443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.350500107 CEST44349903151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.350517035 CEST44349903151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.350941896 CEST49904443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.350965977 CEST44349904151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.351078987 CEST49904443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.351316929 CEST49904443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.351327896 CEST44349904151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.351346016 CEST44349904151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.352034092 CEST49905443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.352044106 CEST44349905151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.352137089 CEST49905443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.352251053 CEST49905443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.352262974 CEST44349905151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.352282047 CEST44349905151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.353365898 CEST49906443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.353399038 CEST44349906151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.353454113 CEST49906443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.353570938 CEST49906443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.353585005 CEST44349906151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.353604078 CEST44349906151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.355102062 CEST49907443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.355115891 CEST44349907151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.355185986 CEST49907443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.355360985 CEST49907443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.355381966 CEST44349907151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.355406046 CEST44349907151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.356322050 CEST49908443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.356338024 CEST44349908151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.356383085 CEST49908443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.356457949 CEST49908443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.356470108 CEST44349908151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.356486082 CEST44349908151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.357657909 CEST49909443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.357677937 CEST44349909151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.357743979 CEST49909443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.357897043 CEST49909443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.357919931 CEST44349909151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.357945919 CEST44349909151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.358903885 CEST49910443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.358922958 CEST44349910151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.358989954 CEST49910443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.359147072 CEST49910443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.359169960 CEST44349910151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.359200954 CEST44349910151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.360136032 CEST49911443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.360143900 CEST44349911151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.360198021 CEST49911443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.360347986 CEST49911443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.360357046 CEST44349911151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.360374928 CEST44349911151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.361172915 CEST49912443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.361182928 CEST44349912151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.361228943 CEST49912443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.361341953 CEST49912443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.361352921 CEST44349912151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.361372948 CEST44349912151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.362749100 CEST49913443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.362772942 CEST44349913151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.362829924 CEST49913443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.362911940 CEST49913443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.362924099 CEST44349913151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.362941980 CEST44349913151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.363850117 CEST49914443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.363858938 CEST44349914151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.363903999 CEST49914443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.364087105 CEST49914443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.364095926 CEST44349914151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.364114046 CEST44349914151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.365391016 CEST49915443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.365402937 CEST44349915151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.365453005 CEST49915443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.365523100 CEST49915443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.365534067 CEST44349915151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.365559101 CEST44349915151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.366527081 CEST49916443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.366553068 CEST44349916151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.366628885 CEST49916443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.366782904 CEST49916443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.366800070 CEST44349916151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.366822958 CEST44349916151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.368257999 CEST49917443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.368299961 CEST44349917151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.368350029 CEST49917443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.368582964 CEST49917443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.368597031 CEST44349917151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.368617058 CEST44349917151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.369565010 CEST49918443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.369575024 CEST44349918151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.369628906 CEST49918443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.369702101 CEST49918443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.369710922 CEST44349918151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.369728088 CEST44349918151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.370910883 CEST49919443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.370933056 CEST44349919151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.370989084 CEST49919443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.371068001 CEST49919443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.371083975 CEST44349919151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.371104002 CEST44349919151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.371834993 CEST49920443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.371866941 CEST44349920151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.371917009 CEST49920443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.372035027 CEST49920443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.372049093 CEST44349920151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.372066021 CEST44349920151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.373461962 CEST49921443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.373478889 CEST44349921151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.373529911 CEST49921443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.373608112 CEST49921443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.373620033 CEST44349921151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.373641014 CEST44349921151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.374737024 CEST49922443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.374748945 CEST44349922151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.374795914 CEST49922443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.374914885 CEST49922443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.374929905 CEST44349922151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.374952078 CEST44349922151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.375965118 CEST49923443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.375988960 CEST44349923151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.376054049 CEST49923443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.376318932 CEST49923443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.376331091 CEST44349923151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.376348019 CEST44349923151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.377060890 CEST49924443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.377082109 CEST44349924151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.377130032 CEST49924443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.377235889 CEST49924443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.377247095 CEST44349924151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.377265930 CEST44349924151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.378428936 CEST49925443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.378460884 CEST44349925151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.378525019 CEST49925443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.378739119 CEST49925443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.378756046 CEST44349925151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.378777027 CEST44349925151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.379642010 CEST49926443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.379652977 CEST44349926151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.379712105 CEST49926443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.379784107 CEST49926443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.379796982 CEST44349926151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.379817963 CEST44349926151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.380961895 CEST49927443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.380983114 CEST44349927151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.381028891 CEST49927443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.381190062 CEST49927443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.381200075 CEST44349927151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.381226063 CEST44349927151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.382181883 CEST49928443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.382211924 CEST44349928151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.382261992 CEST49928443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.382425070 CEST49928443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.382438898 CEST44349928151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.382467031 CEST44349928151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.384052992 CEST49929443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.384083986 CEST44349929151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.384149075 CEST49929443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.384352922 CEST49929443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.384366989 CEST44349929151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.384387016 CEST44349929151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.385271072 CEST49930443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.385286093 CEST44349930151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.385376930 CEST49930443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.385529995 CEST49930443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.385540962 CEST44349930151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.385557890 CEST44349930151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.386962891 CEST49931443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.386976957 CEST44349931151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.387032032 CEST49931443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.387197018 CEST49931443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.387208939 CEST44349931151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.387231112 CEST44349931151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.388118982 CEST49932443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.388147116 CEST44349932151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.388222933 CEST49932443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.388319016 CEST49932443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.388344049 CEST44349932151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.388369083 CEST44349932151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.389620066 CEST49933443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.389637947 CEST44349933151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.389682055 CEST49933443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.389743090 CEST49933443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.389753103 CEST44349933151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.389772892 CEST44349933151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.390706062 CEST49934443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.390716076 CEST44349934151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.390773058 CEST49934443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.390855074 CEST49934443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.390863895 CEST44349934151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.390882015 CEST44349934151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.391876936 CEST49935443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.391899109 CEST44349935151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.391961098 CEST49935443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.392041922 CEST49935443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.392066002 CEST44349935151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.392090082 CEST44349935151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.392677069 CEST49936443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.392699957 CEST44349936151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.392762899 CEST49936443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.392904043 CEST49936443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.392918110 CEST44349936151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.392937899 CEST44349936151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.393986940 CEST49937443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.394018888 CEST44349937151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.394072056 CEST49937443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.394144058 CEST49937443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.394155979 CEST44349937151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.394171953 CEST44349937151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.394782066 CEST49938443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.394794941 CEST44349938151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.394851923 CEST49938443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.394942999 CEST49938443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.394954920 CEST44349938151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.394969940 CEST44349938151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.395867109 CEST49939443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.395884037 CEST44349939151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.395936966 CEST49939443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.396043062 CEST49939443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.396059990 CEST44349939151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.396078110 CEST44349939151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.396712065 CEST49940443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.396725893 CEST44349940151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.396780968 CEST49940443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.396862984 CEST49940443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.396874905 CEST44349940151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.396895885 CEST44349940151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.397799969 CEST49941443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.397825003 CEST44349941151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.397883892 CEST49941443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.397998095 CEST49941443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.398010015 CEST44349941151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.398026943 CEST44349941151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.398683071 CEST49942443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.398693085 CEST44349942151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.398756981 CEST49942443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.398880959 CEST49942443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.398889065 CEST44349942151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.398910999 CEST44349942151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.399677038 CEST49943443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.399688005 CEST44349943151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.399749041 CEST49943443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.399904013 CEST49943443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.399912119 CEST44349943151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.399945974 CEST44349943151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.400588989 CEST49944443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.400615931 CEST44349944151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.400665998 CEST49944443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.400734901 CEST49944443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.400747061 CEST44349944151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.400770903 CEST44349944151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.401678085 CEST49945443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.401702881 CEST44349945151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.401772022 CEST49945443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.401855946 CEST49945443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.401880980 CEST44349945151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.401907921 CEST44349945151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.402502060 CEST49946443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.402520895 CEST44349946151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.402591944 CEST49946443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.402663946 CEST49946443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.402688026 CEST44349946151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.402710915 CEST44349946151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.403511047 CEST49947443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.403532028 CEST44349947151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.403585911 CEST49947443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.403656006 CEST49947443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.403666019 CEST44349947151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.403702974 CEST44349947151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.404417992 CEST49948443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.404442072 CEST44349948151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.404537916 CEST49948443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.404711962 CEST49948443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.404726028 CEST44349948151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.404747009 CEST44349948151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.405642033 CEST49949443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.405687094 CEST44349949151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.405747890 CEST49949443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.405817032 CEST49949443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.405833960 CEST44349949151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.405854940 CEST44349949151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.406428099 CEST49950443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.406451941 CEST44349950151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.406506062 CEST49950443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.406575918 CEST49950443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.406594038 CEST44349950151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.406610012 CEST44349950151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.407527924 CEST49951443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.407541990 CEST44349951151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.407618046 CEST49951443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.407691002 CEST49951443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.407705069 CEST44349951151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.407841921 CEST44349951151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.408443928 CEST49952443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.408466101 CEST44349952151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.408590078 CEST49952443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.408590078 CEST49952443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.408607960 CEST44349952151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.408651114 CEST44349952151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.409544945 CEST49953443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.409571886 CEST44349953151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.409636021 CEST49953443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.409720898 CEST49953443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.409739017 CEST44349953151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.409765959 CEST44349953151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.410331964 CEST49954443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.410351038 CEST44349954151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.410408020 CEST49954443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.410501957 CEST49954443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.410515070 CEST44349954151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.410535097 CEST44349954151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.411436081 CEST49955443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.411449909 CEST44349955151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.411510944 CEST49955443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.411587954 CEST49955443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.411598921 CEST44349955151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.411616087 CEST44349955151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.412671089 CEST49956443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.412684917 CEST44349956151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.412739992 CEST49956443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.412853003 CEST49956443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.412863970 CEST44349956151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.412918091 CEST44349956151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.413892031 CEST49957443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.413913012 CEST44349957151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.413986921 CEST49957443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.414071083 CEST49957443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.414094925 CEST44349957151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.414122105 CEST44349957151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.415157080 CEST49958443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.415191889 CEST44349958151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.415267944 CEST49958443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.415378094 CEST49958443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.415416956 CEST44349958151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.415445089 CEST44349958151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.416443110 CEST49959443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.416471958 CEST44349959151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.416527033 CEST49959443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.416623116 CEST49959443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.416639090 CEST44349959151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.416656971 CEST44349959151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.417440891 CEST49960443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.417473078 CEST44349960151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.417546034 CEST49960443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.417642117 CEST49960443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.417658091 CEST44349960151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.417699099 CEST44349960151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.418694973 CEST49961443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.418729067 CEST44349961151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.418796062 CEST49961443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.418899059 CEST49961443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.418912888 CEST44349961151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.418931007 CEST44349961151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.419604063 CEST49962443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.419617891 CEST44349962151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.419677973 CEST49962443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.419800043 CEST49962443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.419811010 CEST44349962151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.419830084 CEST44349962151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.420665979 CEST49963443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.420676947 CEST44349963151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.420742035 CEST49963443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.420881033 CEST49963443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.420895100 CEST44349963151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.420917034 CEST44349963151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.421510935 CEST49964443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.421561003 CEST44349964151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.421637058 CEST49964443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.421747923 CEST49964443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.421770096 CEST44349964151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.421791077 CEST44349964151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.422708035 CEST49965443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.422741890 CEST44349965151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.422797918 CEST49965443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.422910929 CEST49965443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.422924995 CEST44349965151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.422941923 CEST44349965151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.423625946 CEST49966443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.423645973 CEST44349966151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.423706055 CEST49966443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.423774958 CEST49966443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.423787117 CEST44349966151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.423803091 CEST44349966151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.424773932 CEST49967443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.424808025 CEST44349967151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.424870014 CEST49967443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.424949884 CEST49967443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.424969912 CEST44349967151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.424990892 CEST44349967151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.425631046 CEST49968443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.425652027 CEST44349968151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.425735950 CEST49968443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.425827980 CEST49968443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.425853014 CEST44349968151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.425875902 CEST44349968151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.426745892 CEST49969443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.426776886 CEST44349969151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.426845074 CEST49969443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.426996946 CEST49969443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.427011967 CEST44349969151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.427030087 CEST44349969151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.427596092 CEST49970443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.427617073 CEST44349970151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.427683115 CEST49970443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.427797079 CEST49970443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.427809954 CEST44349970151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.427828074 CEST44349970151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.428695917 CEST49971443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.428715944 CEST44349971151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.428822041 CEST49971443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.428900003 CEST49971443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.428920031 CEST44349971151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.428939104 CEST44349971151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.429574013 CEST49972443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.429606915 CEST44349972151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.429666996 CEST49972443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.429742098 CEST49972443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.429758072 CEST44349972151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.429773092 CEST44349972151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.430732012 CEST49973443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.430751085 CEST44349973151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.430898905 CEST49973443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.430898905 CEST49973443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.430921078 CEST44349973151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.430941105 CEST44349973151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.431628942 CEST49974443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.431643963 CEST44349974151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.431709051 CEST49974443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.431911945 CEST49974443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.431926012 CEST44349974151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.431942940 CEST44349974151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.432769060 CEST49975443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.432796955 CEST44349975151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.432857990 CEST49975443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.432991982 CEST49975443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.433010101 CEST44349975151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.433032036 CEST44349975151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.433638096 CEST49976443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.433667898 CEST44349976151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.433720112 CEST49976443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.433825970 CEST49976443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.433835030 CEST44349976151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.433856010 CEST44349976151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.434750080 CEST49977443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.434782028 CEST44349977151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.434847116 CEST49977443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.434968948 CEST49977443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.434983969 CEST44349977151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.435007095 CEST44349977151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.435666084 CEST49978443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.435681105 CEST44349978151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.435748100 CEST49978443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.435826063 CEST49978443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.435839891 CEST44349978151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.435857058 CEST44349978151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.436885118 CEST49979443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.436893940 CEST44349979151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.436943054 CEST49979443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.437038898 CEST49979443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.437045097 CEST44349979151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.437057018 CEST44349979151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.437781096 CEST49980443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.437824965 CEST44349980151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.437880039 CEST49980443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.437957048 CEST49980443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.437968016 CEST44349980151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.437980890 CEST44349980151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.438900948 CEST49981443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.438918114 CEST44349981151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.438978910 CEST49981443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.439069033 CEST49981443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.439081907 CEST44349981151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.439099073 CEST44349981151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.439778090 CEST49982443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.439786911 CEST44349982151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.439856052 CEST49982443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.439982891 CEST49982443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.439996004 CEST44349982151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.440017939 CEST44349982151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.440969944 CEST49983443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.440989971 CEST44349983151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.441049099 CEST49983443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.441128969 CEST49983443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.441140890 CEST44349983151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.441155910 CEST44349983151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.441711903 CEST49984443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.441720009 CEST44349984151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.441788912 CEST49984443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.441855907 CEST49984443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.441864967 CEST44349984151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.441881895 CEST44349984151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.442869902 CEST49985443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.442910910 CEST44349985151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.442971945 CEST49985443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.443101883 CEST49985443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.443125010 CEST44349985151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.443147898 CEST44349985151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.443779945 CEST49986443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.443804979 CEST44349986151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.443876982 CEST49986443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.444020987 CEST49986443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.444036961 CEST44349986151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.444053888 CEST44349986151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.445131063 CEST49987443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.445167065 CEST44349987151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.445225000 CEST49987443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.445339918 CEST49987443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.445348024 CEST44349987151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.445369005 CEST44349987151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.446752071 CEST49988443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.446769953 CEST44349988151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.446834087 CEST49988443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.447041988 CEST49988443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.447051048 CEST44349988151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.447069883 CEST44349988151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.448807955 CEST49989443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.448838949 CEST44349989151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.448911905 CEST49989443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.449027061 CEST49989443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.449038982 CEST44349989151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.449059963 CEST44349989151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.449846983 CEST49990443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.449858904 CEST44349990151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.449933052 CEST49990443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.450067997 CEST49990443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.450077057 CEST44349990151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.450093031 CEST44349990151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.451252937 CEST49991443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.451272964 CEST44349991151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.451334000 CEST49991443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.451461077 CEST49991443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.451469898 CEST44349991151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.451483011 CEST44349991151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.452176094 CEST49992443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.452212095 CEST44349992151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.452280045 CEST49992443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.452388048 CEST49992443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.452400923 CEST44349992151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.452420950 CEST44349992151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.453511000 CEST49993443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.453552008 CEST44349993151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.453619003 CEST49993443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.453768969 CEST49993443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.453783035 CEST44349993151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.453802109 CEST44349993151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.454710960 CEST49994443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.454736948 CEST44349994151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.454809904 CEST49994443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.454946041 CEST49994443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.454960108 CEST44349994151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.454973936 CEST44349994151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.456038952 CEST49995443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.456058025 CEST44349995151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.456119061 CEST49995443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.456244946 CEST49995443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.456254959 CEST44349995151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.456270933 CEST44349995151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.457130909 CEST49996443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.457168102 CEST44349996151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.457231045 CEST49996443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.457353115 CEST49996443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.457365036 CEST44349996151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.457381010 CEST44349996151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.459423065 CEST49997443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.459443092 CEST44349997151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.459634066 CEST49997443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.459634066 CEST49997443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.459651947 CEST44349997151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.459685087 CEST44349997151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.462002039 CEST49998443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.462019920 CEST44349998151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.462243080 CEST49998443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.462434053 CEST49998443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.462444067 CEST44349998151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.462460041 CEST44349998151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.464745998 CEST49999443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.464757919 CEST44349999151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.464814901 CEST49999443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.465198994 CEST49999443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.465208054 CEST44349999151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.465229988 CEST44349999151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.466752052 CEST50000443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.466789961 CEST44350000151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.466952085 CEST50000443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.466952085 CEST50000443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.466976881 CEST44350000151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.467010021 CEST44350000151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.469177961 CEST50001443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.469208956 CEST44350001151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.469273090 CEST50001443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.469403028 CEST50001443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.469413042 CEST44350001151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.469430923 CEST44350001151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.471035957 CEST50002443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.471044064 CEST44350002151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.471101046 CEST50002443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.471199989 CEST50002443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.471206903 CEST44350002151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.471221924 CEST44350002151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.473114014 CEST50003443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.473139048 CEST44350003151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.473201990 CEST50003443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.473519087 CEST50003443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.473531008 CEST44350003151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.473551989 CEST44350003151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.474822998 CEST50004443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.474864006 CEST44350004151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.474920988 CEST50004443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.475183010 CEST50004443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.475199938 CEST44350004151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.475224018 CEST44350004151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.476752996 CEST50005443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.476778030 CEST44350005151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.476838112 CEST50005443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.477638006 CEST50005443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.477647066 CEST44350005151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.477665901 CEST44350005151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.478974104 CEST50006443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.478986025 CEST44350006151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.479060888 CEST50006443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.479352951 CEST50006443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.479360104 CEST44350006151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.479374886 CEST44350006151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.480854034 CEST50007443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.480885029 CEST44350007151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.480966091 CEST50007443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.481147051 CEST50007443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.481163025 CEST44350007151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.481184006 CEST44350007151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.483405113 CEST50008443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.483426094 CEST44350008151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.483752012 CEST50008443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.483752012 CEST50008443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.483772993 CEST44350008151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.483809948 CEST44350008151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.485795975 CEST50009443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.485806942 CEST44350009151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.485861063 CEST50009443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.486072063 CEST50009443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.486082077 CEST44350009151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.486100912 CEST44350009151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.487413883 CEST50010443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.487422943 CEST44350010151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.487488985 CEST50010443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.488598108 CEST50010443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.488609076 CEST44350010151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.488627911 CEST44350010151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.503421068 CEST50011443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.503453970 CEST44350011151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.503706932 CEST50011443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.503706932 CEST50011443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.503731012 CEST44350011151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.503789902 CEST44350011151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.504734993 CEST50012443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.504767895 CEST44350012151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.504834890 CEST50012443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.505023956 CEST50012443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.505038023 CEST44350012151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.505053043 CEST44350012151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.506179094 CEST50013443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.506217003 CEST44350013151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.506314039 CEST50013443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.506479979 CEST50013443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.506491899 CEST44350013151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.506508112 CEST44350013151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.507356882 CEST50014443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.507365942 CEST44350014151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.507436991 CEST50014443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.507580042 CEST50014443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.507589102 CEST44350014151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.507603884 CEST44350014151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.508980989 CEST50015443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.509011984 CEST44350015151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.509072065 CEST50015443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.509202957 CEST50015443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.509229898 CEST44350015151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.509244919 CEST44350015151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.510031939 CEST50016443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.510059118 CEST44350016151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.510122061 CEST50016443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.510272980 CEST50016443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.510286093 CEST44350016151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.510299921 CEST44350016151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.511464119 CEST50017443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.511472940 CEST44350017151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.511544943 CEST50017443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.511667013 CEST50017443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.511676073 CEST44350017151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.511693001 CEST44350017151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.512645006 CEST50018443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.512651920 CEST44350018151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.512722969 CEST50018443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.512895107 CEST50018443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.512903929 CEST44350018151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.512919903 CEST44350018151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.514174938 CEST50019443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.514206886 CEST44350019151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.514312983 CEST50019443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.514533997 CEST50019443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.514548063 CEST44350019151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.514563084 CEST44350019151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.515398026 CEST50020443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.515429020 CEST44350020151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.515671968 CEST50020443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.515671968 CEST50020443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.515692949 CEST44350020151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.515719891 CEST44350020151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.517003059 CEST50021443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.517035961 CEST44350021151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.517126083 CEST50021443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.517240047 CEST50021443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.517251968 CEST44350021151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.517268896 CEST44350021151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.518105030 CEST50022443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.518111944 CEST44350022151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.518177986 CEST50022443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.518301964 CEST50022443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.518311024 CEST44350022151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.518331051 CEST44350022151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.519999027 CEST50023443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.520018101 CEST44350023151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.520251989 CEST50023443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.520251989 CEST50023443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.520268917 CEST44350023151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.520292997 CEST44350023151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.521188974 CEST50024443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.521230936 CEST44350024151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.521308899 CEST50024443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.521451950 CEST50024443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.521469116 CEST44350024151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.521486998 CEST44350024151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.522706032 CEST50025443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.522727966 CEST44350025151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.522808075 CEST50025443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.522950888 CEST50025443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.522958994 CEST44350025151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.522974014 CEST44350025151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.523973942 CEST50026443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.523983955 CEST44350026151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.524061918 CEST50026443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.524251938 CEST50026443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.524257898 CEST44350026151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.524271965 CEST44350026151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.525470972 CEST50027443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.525501013 CEST44350027151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.525573015 CEST50027443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.525693893 CEST50027443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.525708914 CEST44350027151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.525727987 CEST44350027151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.526554108 CEST50028443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.526586056 CEST44350028151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.526653051 CEST50028443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.527190924 CEST50028443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.527204990 CEST44350028151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.527223110 CEST44350028151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.529737949 CEST50029443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.529763937 CEST44350029151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.529840946 CEST50029443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.530092955 CEST50029443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.530103922 CEST44350029151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.530118942 CEST44350029151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.531925917 CEST50030443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.531940937 CEST44350030151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.532002926 CEST50030443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.532396078 CEST50030443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.532403946 CEST44350030151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.532417059 CEST44350030151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.534897089 CEST50031443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.534909010 CEST44350031151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.534964085 CEST50031443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.535290003 CEST50031443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.535300970 CEST44350031151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.535317898 CEST44350031151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.537106991 CEST50032443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.537118912 CEST44350032151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.537187099 CEST50032443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.537301064 CEST50032443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.537309885 CEST44350032151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.537328959 CEST44350032151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.539699078 CEST50033443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.539726019 CEST44350033151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.539844036 CEST50033443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.540143967 CEST50033443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.540165901 CEST44350033151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.540179968 CEST44350033151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.541717052 CEST50034443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.541749001 CEST44350034151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.541996002 CEST50034443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.542206049 CEST50034443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.542218924 CEST44350034151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.542234898 CEST44350034151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.544245958 CEST50035443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.544260979 CEST44350035151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.544346094 CEST50035443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.544627905 CEST50035443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.544637918 CEST44350035151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.544653893 CEST44350035151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.546238899 CEST50036443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.546267033 CEST44350036151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.546339989 CEST50036443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.546550035 CEST50036443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.546559095 CEST44350036151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.546575069 CEST44350036151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.548819065 CEST50037443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.548851967 CEST44350037151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.548916101 CEST50037443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.549197912 CEST50037443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.549210072 CEST44350037151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.549226046 CEST44350037151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.550637007 CEST50038443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.550658941 CEST44350038151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.550714970 CEST50038443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.551135063 CEST50038443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.551150084 CEST44350038151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.551166058 CEST44350038151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.553711891 CEST50039443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.553728104 CEST44350039151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.553801060 CEST50039443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.554116011 CEST50039443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.554126024 CEST44350039151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.554143906 CEST44350039151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.555660009 CEST50040443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.555685043 CEST44350040151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.555757999 CEST50040443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.556090117 CEST50040443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.556099892 CEST44350040151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.556113005 CEST44350040151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.558522940 CEST50041443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.558552027 CEST44350041151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.558614016 CEST50041443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.558995008 CEST50041443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.559012890 CEST44350041151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.559030056 CEST44350041151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.561002970 CEST50042443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.561012983 CEST44350042151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.561084032 CEST50042443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.561414003 CEST50042443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.561422110 CEST44350042151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.561436892 CEST44350042151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.563394070 CEST50043443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.563405991 CEST44350043151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.563481092 CEST50043443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.563791037 CEST50043443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.563797951 CEST44350043151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.563811064 CEST44350043151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.565488100 CEST50044443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.565506935 CEST44350044151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.565567970 CEST50044443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.565788031 CEST50044443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.565795898 CEST44350044151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.565810919 CEST44350044151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.567972898 CEST50045443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.568005085 CEST44350045151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.568069935 CEST50045443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.568248987 CEST50045443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.568260908 CEST44350045151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.568276882 CEST44350045151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.569886923 CEST50046443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.569895029 CEST44350046151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.569963932 CEST50046443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.570194006 CEST50046443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.570204020 CEST44350046151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.570224047 CEST44350046151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.572024107 CEST50047443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.572036028 CEST44350047151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.572089911 CEST50047443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.572453976 CEST50047443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.572462082 CEST44350047151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.572474957 CEST44350047151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.574112892 CEST50048443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.574143887 CEST44350048151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.574213982 CEST50048443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.574528933 CEST50048443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.574543953 CEST44350048151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.574559927 CEST44350048151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.576761961 CEST50049443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.576783895 CEST44350049151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.576843977 CEST50049443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.577033043 CEST50049443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.577043056 CEST44350049151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.577059984 CEST44350049151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.578680038 CEST50050443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.578687906 CEST44350050151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.578741074 CEST50050443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.578989029 CEST50050443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.578998089 CEST44350050151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.579015970 CEST44350050151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.581237078 CEST50051443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.581265926 CEST44350051151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.581326962 CEST50051443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.581546068 CEST50051443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.581557035 CEST44350051151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.581572056 CEST44350051151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.582932949 CEST50052443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.582964897 CEST44350052151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.583097935 CEST50052443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.583405972 CEST50052443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.583416939 CEST44350052151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.583432913 CEST44350052151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.585527897 CEST50053443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.585544109 CEST44350053151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.585604906 CEST50053443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.585900068 CEST50053443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.585908890 CEST44350053151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.585927963 CEST44350053151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.587481022 CEST50054443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.587488890 CEST44350054151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.587558985 CEST50054443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.587794065 CEST50054443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.587802887 CEST44350054151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.587819099 CEST44350054151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.589770079 CEST50055443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.589793921 CEST44350055151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.589926958 CEST50055443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.590071917 CEST50055443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.590081930 CEST44350055151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.590109110 CEST44350055151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.596664906 CEST50056443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.596694946 CEST44350056151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.596765041 CEST50056443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.596937895 CEST50056443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.596949100 CEST44350056151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.596970081 CEST44350056151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.598118067 CEST50057443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.598133087 CEST44350057151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.598191023 CEST50057443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.598319054 CEST50057443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.598328114 CEST44350057151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.598360062 CEST44350057151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.599145889 CEST50058443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.599153042 CEST44350058151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.599225998 CEST50058443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.599363089 CEST50058443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.599369049 CEST44350058151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.599381924 CEST44350058151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.600538969 CEST50059443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.600558996 CEST44350059151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.600630045 CEST50059443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.600771904 CEST50059443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.600783110 CEST44350059151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.600800037 CEST44350059151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.601720095 CEST50060443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.601741076 CEST44350060151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.601855040 CEST50060443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.602133989 CEST50060443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.602144957 CEST44350060151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.602161884 CEST44350060151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.612253904 CEST50061443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.612291098 CEST44350061151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.612348080 CEST50061443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.612426043 CEST50061443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.612433910 CEST44350061151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.612493992 CEST44350061151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.613307953 CEST50062443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.613321066 CEST44350062151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.613378048 CEST50062443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.613604069 CEST50062443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.613615036 CEST44350062151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.613632917 CEST44350062151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.614845037 CEST50063443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.614861012 CEST44350063151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.614913940 CEST50063443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.615061998 CEST50063443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.615075111 CEST44350063151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.615099907 CEST44350063151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.615911007 CEST50064443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.615921974 CEST44350064151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.615971088 CEST50064443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.616118908 CEST50064443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.616132975 CEST44350064151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.616156101 CEST44350064151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.618587017 CEST50065443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.618618011 CEST44350065151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.618695021 CEST50065443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.618923903 CEST50065443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.618947983 CEST44350065151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.618966103 CEST44350065151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.620187998 CEST50066443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.620204926 CEST44350066151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.620309114 CEST50066443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.620496035 CEST50066443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.620507956 CEST44350066151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.620527029 CEST44350066151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.621927023 CEST50067443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.621936083 CEST44350067151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.622009993 CEST50067443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.622253895 CEST50067443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.622267962 CEST44350067151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.622287989 CEST44350067151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.623239040 CEST50068443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.623343945 CEST44350068151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.623414993 CEST50068443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.623487949 CEST50068443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.623521090 CEST44350068151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.623552084 CEST44350068151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.624726057 CEST50069443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.624763966 CEST44350069151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.624815941 CEST50069443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.624891996 CEST50069443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.624906063 CEST44350069151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.624923944 CEST44350069151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.625740051 CEST50070443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.625752926 CEST44350070151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.625798941 CEST50070443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.625854015 CEST50070443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.625864029 CEST44350070151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.625894070 CEST44350070151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.628160954 CEST50071443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.628184080 CEST44350071151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.628251076 CEST50071443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.628324032 CEST50071443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.628350019 CEST44350071151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.628376961 CEST44350071151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.629249096 CEST50072443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.629277945 CEST44350072151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.629332066 CEST50072443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.629872084 CEST50072443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.629884958 CEST44350072151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.629903078 CEST44350072151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.638020039 CEST50073443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.638027906 CEST44350073151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.638083935 CEST50073443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.638279915 CEST50073443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.638290882 CEST44350073151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.638314962 CEST44350073151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.640526056 CEST50074443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.640532017 CEST44350074151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.640587091 CEST50074443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.640815020 CEST50074443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.640825033 CEST44350074151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.640846014 CEST44350074151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.641868114 CEST50075443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.641899109 CEST44350075151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.641942978 CEST50075443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.642028093 CEST50075443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.642039061 CEST44350075151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.642055988 CEST44350075151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.645010948 CEST50076443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.645045042 CEST44350076151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.645090103 CEST50076443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.645168066 CEST50076443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.645178080 CEST44350076151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.645195007 CEST44350076151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.645885944 CEST50077443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.645909071 CEST44350077151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.645967960 CEST50077443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.646050930 CEST50077443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.646064997 CEST44350077151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.646083117 CEST44350077151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.646528006 CEST50078443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.646538973 CEST44350078151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.646603107 CEST50078443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.646661997 CEST50078443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.646675110 CEST44350078151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.646692991 CEST44350078151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.647349119 CEST50079443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.647357941 CEST44350079151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.647419930 CEST50079443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.647484064 CEST50079443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.647492886 CEST44350079151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.647507906 CEST44350079151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.647967100 CEST50080443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.647974014 CEST44350080151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.648027897 CEST50080443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.648092031 CEST50080443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.648099899 CEST44350080151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.648114920 CEST44350080151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.648865938 CEST50081443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.648880005 CEST44350081151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.648947001 CEST50081443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.649056911 CEST50081443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.649070024 CEST44350081151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.649091959 CEST44350081151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.650286913 CEST50082443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.650298119 CEST44350082151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.650350094 CEST50082443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.650566101 CEST50082443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.650578022 CEST44350082151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.650599957 CEST44350082151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.651851892 CEST50083443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.651864052 CEST44350083151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.651906013 CEST50083443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.652112007 CEST50083443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.652121067 CEST44350083151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.652137995 CEST44350083151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.653072119 CEST50084443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.653100967 CEST44350084151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.653148890 CEST50084443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.653213978 CEST50084443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.653225899 CEST44350084151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.653242111 CEST44350084151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.654472113 CEST50085443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.654480934 CEST44350085151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.654534101 CEST50085443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.654620886 CEST50085443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.654632092 CEST44350085151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.654652119 CEST44350085151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.655797958 CEST50086443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.655805111 CEST44350086151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.655855894 CEST50086443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.655963898 CEST50086443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.655977964 CEST44350086151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.655997038 CEST44350086151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.657953978 CEST50087443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.657977104 CEST44350087151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.658030033 CEST50087443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.658211946 CEST50087443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.658224106 CEST44350087151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.658238888 CEST44350087151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.659351110 CEST50088443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.659440041 CEST44350088151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.659522057 CEST50088443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.659590006 CEST50088443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.659622908 CEST44350088151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.659651041 CEST44350088151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.660945892 CEST50089443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.660979986 CEST44350089151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.661037922 CEST50089443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.661258936 CEST50089443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.661276102 CEST44350089151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.661292076 CEST44350089151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.662281990 CEST50090443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.662322998 CEST44350090151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.662379980 CEST50090443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.662693977 CEST50090443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.662712097 CEST44350090151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.662729025 CEST44350090151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.663877010 CEST50091443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.663899899 CEST44350091151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.663968086 CEST50091443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.664184093 CEST50091443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.664210081 CEST44350091151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.664236069 CEST44350091151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.665395975 CEST50092443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.665405035 CEST44350092151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.665458918 CEST50092443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.665599108 CEST50092443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.665611029 CEST44350092151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.665632963 CEST44350092151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.667212963 CEST50093443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.667234898 CEST44350093151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.667299032 CEST50093443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.667889118 CEST50093443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.667907000 CEST44350093151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.667923927 CEST44350093151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.669037104 CEST50094443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.669061899 CEST44350094151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.669193029 CEST50094443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.669352055 CEST50094443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.669363022 CEST44350094151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.669378996 CEST44350094151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.670171976 CEST50095443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.670188904 CEST44350095151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.670253992 CEST50095443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.670360088 CEST50095443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.670372009 CEST44350095151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.670392036 CEST44350095151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.671348095 CEST50096443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.671355963 CEST44350096151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.671406031 CEST50096443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.671468019 CEST50096443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.671479940 CEST44350096151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.671499968 CEST44350096151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.672708988 CEST50097443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.672730923 CEST44350097151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.672779083 CEST50097443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.672846079 CEST50097443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.672857046 CEST44350097151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.672873020 CEST44350097151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.673762083 CEST50098443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.673773050 CEST44350098151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.673823118 CEST50098443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.673896074 CEST50098443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.673902035 CEST44350098151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.673918962 CEST44350098151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.675244093 CEST50099443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.675259113 CEST44350099151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.675323009 CEST50099443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.675640106 CEST50099443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.675648928 CEST44350099151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.675668955 CEST44350099151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.676892996 CEST50100443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.676920891 CEST44350100151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.676973104 CEST50100443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.677041054 CEST50100443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.677052021 CEST44350100151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.677067995 CEST44350100151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.678119898 CEST50101443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.678138971 CEST44350101151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.678177118 CEST50101443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.678366899 CEST50101443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.678375006 CEST44350101151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.678385973 CEST44350101151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.679295063 CEST50102443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.679301977 CEST44350102151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.679341078 CEST50102443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.679408073 CEST50102443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.679414034 CEST44350102151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.679426908 CEST44350102151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.680555105 CEST50103443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.680562973 CEST44350103151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.680602074 CEST50103443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.680663109 CEST50103443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.680670977 CEST44350103151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.680686951 CEST44350103151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.681608915 CEST50104443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.681641102 CEST44350104151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.681802034 CEST50104443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.681802034 CEST50104443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.681818962 CEST44350104151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.681843042 CEST44350104151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.683020115 CEST50105443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.683027029 CEST44350105151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.683074951 CEST50105443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.683459997 CEST50105443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.683469057 CEST44350105151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.683487892 CEST44350105151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.684401989 CEST50106443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.684408903 CEST44350106151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.684452057 CEST50106443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.684519053 CEST50106443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.684526920 CEST44350106151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.684540987 CEST44350106151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.685971022 CEST50107443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.686009884 CEST44350107151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.686150074 CEST50107443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.686265945 CEST50107443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.686275005 CEST44350107151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.686286926 CEST44350107151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.687076092 CEST50108443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.687103033 CEST44350108151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.687145948 CEST50108443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.687243938 CEST50108443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.687254906 CEST44350108151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.687271118 CEST44350108151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.688467979 CEST50109443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.688481092 CEST44350109151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.688524008 CEST50109443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.688750029 CEST50109443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.688760042 CEST44350109151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.688775063 CEST44350109151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.689518929 CEST50110443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.689531088 CEST44350110151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.689569950 CEST50110443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.689836025 CEST50110443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.689845085 CEST44350110151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.689863920 CEST44350110151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.691134930 CEST50111443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.691154957 CEST44350111151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.691199064 CEST50111443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.691313982 CEST50111443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.691323996 CEST44350111151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.691339016 CEST44350111151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.692056894 CEST50112443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.692085981 CEST44350112151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.692303896 CEST50112443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.692303896 CEST50112443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.692322016 CEST44350112151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.692342997 CEST44350112151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.693607092 CEST50113443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.693617105 CEST44350113151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.693669081 CEST50113443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.694329023 CEST50113443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.694340944 CEST44350113151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.694356918 CEST44350113151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.695337057 CEST50114443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.695343971 CEST44350114151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.695394993 CEST50114443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.695460081 CEST50114443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.695467949 CEST44350114151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.695481062 CEST44350114151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.696734905 CEST50115443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.696765900 CEST44350115151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.696904898 CEST50115443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.697032928 CEST50115443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.697042942 CEST44350115151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.697057009 CEST44350115151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.697866917 CEST50116443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.697891951 CEST44350116151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.697942019 CEST50116443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.698203087 CEST50116443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.698220015 CEST44350116151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.698234081 CEST44350116151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.699480057 CEST50117443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.699489117 CEST44350117151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.699534893 CEST50117443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.699660063 CEST50117443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.699670076 CEST44350117151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.699685097 CEST44350117151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.700494051 CEST50118443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.700500965 CEST44350118151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.700541973 CEST50118443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.700664043 CEST50118443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.700671911 CEST44350118151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.700686932 CEST44350118151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.701867104 CEST50119443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.701890945 CEST44350119151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.701936960 CEST50119443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.702162027 CEST50119443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.702172041 CEST44350119151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.702187061 CEST44350119151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.703128099 CEST50120443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.703140974 CEST44350120151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.703191996 CEST50120443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.703269958 CEST50120443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.703278065 CEST44350120151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.703294039 CEST44350120151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.704375029 CEST50121443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.704406023 CEST44350121151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.704463005 CEST50121443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.704581976 CEST50121443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.704592943 CEST44350121151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.704606056 CEST44350121151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.705210924 CEST50122443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.705220938 CEST44350122151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.705285072 CEST50122443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.705384016 CEST50122443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.705390930 CEST44350122151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.705409050 CEST44350122151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.706218004 CEST50123443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.706226110 CEST44350123151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.706302881 CEST50123443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.706453085 CEST50123443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.706461906 CEST44350123151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.706478119 CEST44350123151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.706948042 CEST50124443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.706957102 CEST44350124151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.707011938 CEST50124443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.707125902 CEST50124443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.707137108 CEST44350124151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.707153082 CEST44350124151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.707870960 CEST50125443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.707891941 CEST44350125151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.707950115 CEST50125443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.708039045 CEST50125443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.708046913 CEST44350125151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.708060026 CEST44350125151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.708539009 CEST50126443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.708547115 CEST44350126151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.708600044 CEST50126443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.708720922 CEST50126443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.708726883 CEST44350126151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.708738089 CEST44350126151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.709502935 CEST50127443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.709511042 CEST44350127151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.709575891 CEST50127443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.709686041 CEST50127443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.709696054 CEST44350127151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.709711075 CEST44350127151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.710199118 CEST50128443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.710206985 CEST44350128151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.710258961 CEST50128443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.710370064 CEST50128443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.710378885 CEST44350128151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.710393906 CEST44350128151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.711185932 CEST50129443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.711231947 CEST44350129151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.711431980 CEST50129443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.711529970 CEST50129443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.711543083 CEST44350129151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.711559057 CEST44350129151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.712738991 CEST50130443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.712763071 CEST44350130151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.712810040 CEST50130443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.712979078 CEST50130443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.712990046 CEST44350130151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.713005066 CEST44350130151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.714410067 CEST50131443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.714417934 CEST44350131151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.714471102 CEST50131443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.714534998 CEST50131443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.714544058 CEST44350131151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.714557886 CEST44350131151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.715432882 CEST50132443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.715440989 CEST44350132151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.715490103 CEST50132443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.715596914 CEST50132443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.715605974 CEST44350132151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.715620995 CEST44350132151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.716464996 CEST50133443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.716500044 CEST44350133151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.716562986 CEST50133443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.716669083 CEST50133443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.716685057 CEST44350133151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.716696978 CEST44350133151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.717194080 CEST50134443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.717212915 CEST44350134151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.717319012 CEST50134443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.717674971 CEST50134443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.717684984 CEST44350134151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.717698097 CEST44350134151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.718485117 CEST50135443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.718492985 CEST44350135151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.718559980 CEST50135443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.718651056 CEST50135443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.718660116 CEST44350135151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.718673944 CEST44350135151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.719120979 CEST50136443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.719130039 CEST44350136151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.719181061 CEST50136443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.719264984 CEST50136443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.719270945 CEST44350136151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.719281912 CEST44350136151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.719971895 CEST50137443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.719978094 CEST44350137151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.720031977 CEST50137443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.720149994 CEST50137443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.720160007 CEST44350137151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.720174074 CEST44350137151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.720628977 CEST50138443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.720635891 CEST44350138151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.720689058 CEST50138443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.720777035 CEST50138443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.720787048 CEST44350138151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.720799923 CEST44350138151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.721482038 CEST50139443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.721489906 CEST44350139151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.721537113 CEST50139443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.721653938 CEST50139443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.721658945 CEST44350139151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.721669912 CEST44350139151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.722107887 CEST50140443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.722130060 CEST44350140151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.722182035 CEST50140443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.722297907 CEST50140443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.722306967 CEST44350140151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.722318888 CEST44350140151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.723007917 CEST50141443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.723015070 CEST44350141151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.723078012 CEST50141443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.723167896 CEST50141443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.723176003 CEST44350141151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.723189116 CEST44350141151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.723609924 CEST50142443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.723618031 CEST44350142151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.723665953 CEST50142443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.723776102 CEST50142443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.723787069 CEST44350142151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.723800898 CEST44350142151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.724519968 CEST50143443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.724530935 CEST44350143151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.724594116 CEST50143443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.724684000 CEST50143443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.724690914 CEST44350143151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.724703074 CEST44350143151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.725157976 CEST50144443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.725164890 CEST44350144151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.725217104 CEST50144443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.725322008 CEST50144443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.725327969 CEST44350144151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.725338936 CEST44350144151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.726006031 CEST50145443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.726012945 CEST44350145151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.726069927 CEST50145443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.726164103 CEST50145443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.726171970 CEST44350145151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.726185083 CEST44350145151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.726610899 CEST50146443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.726618052 CEST44350146151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.726665974 CEST50146443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.726777077 CEST50146443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.726785898 CEST44350146151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.726799965 CEST44350146151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.728260994 CEST50147443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.728275061 CEST44350147151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.728331089 CEST50147443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.728506088 CEST50147443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.728513956 CEST44350147151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.728530884 CEST44350147151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.729325056 CEST50148443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.729336977 CEST44350148151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.729381084 CEST50148443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.729547024 CEST50148443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.729552984 CEST44350148151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.729566097 CEST44350148151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.730700970 CEST50149443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.730707884 CEST44350149151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.730751038 CEST50149443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.730822086 CEST50149443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.730830908 CEST44350149151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.730845928 CEST44350149151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.731869936 CEST50150443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.731875896 CEST44350150151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.731925964 CEST50150443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.732173920 CEST50150443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.732182026 CEST44350150151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.732197046 CEST44350150151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.733387947 CEST50151443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.733397961 CEST44350151151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.733434916 CEST50151443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.733560085 CEST50151443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.733566046 CEST44350151151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.733577013 CEST44350151151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.734417915 CEST50152443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.734426022 CEST44350152151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.734469891 CEST50152443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.734571934 CEST50152443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.734580994 CEST44350152151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.734595060 CEST44350152151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.735968113 CEST50153443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.736002922 CEST44350153151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.736113071 CEST50153443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.736259937 CEST50153443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.736269951 CEST44350153151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.736283064 CEST44350153151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.737108946 CEST50154443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.737137079 CEST44350154151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.737323999 CEST50154443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.737323999 CEST50154443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.737344027 CEST44350154151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.737365961 CEST44350154151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.738327980 CEST50155443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.738334894 CEST44350155151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.738387108 CEST50155443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.738467932 CEST50155443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.738476038 CEST44350155151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.738490105 CEST44350155151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.739403963 CEST50156443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.739412069 CEST44350156151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.739453077 CEST50156443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.739521027 CEST50156443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.739531994 CEST44350156151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.739547014 CEST44350156151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.740668058 CEST50157443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.740700006 CEST44350157151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.740747929 CEST50157443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.740870953 CEST50157443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.740881920 CEST44350157151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.740895033 CEST44350157151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.741812944 CEST50158443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.741838932 CEST44350158151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.741903067 CEST50158443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.742050886 CEST50158443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.742064953 CEST44350158151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.742079973 CEST44350158151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.743330956 CEST50159443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.743338108 CEST44350159151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.743396044 CEST50159443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.743505955 CEST50159443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.743515968 CEST44350159151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.743621111 CEST44350159151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.744472980 CEST50160443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.744481087 CEST44350160151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.744529009 CEST50160443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.744676113 CEST50160443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.744688034 CEST44350160151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.744736910 CEST44350160151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.745718956 CEST50161443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.745728016 CEST44350161151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.745774984 CEST50161443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.745892048 CEST50161443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.745903015 CEST44350161151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.745949030 CEST44350161151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.746687889 CEST50162443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.746697903 CEST44350162151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.746756077 CEST50162443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.746941090 CEST50162443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.746948957 CEST44350162151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.746988058 CEST44350162151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.748245001 CEST50163443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.748253107 CEST44350163151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.748303890 CEST50163443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.748450994 CEST50163443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.748461962 CEST44350163151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.748503923 CEST44350163151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.749258995 CEST50164443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.749269009 CEST44350164151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.749322891 CEST50164443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.749391079 CEST50164443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.749402046 CEST44350164151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.749445915 CEST44350164151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.750525951 CEST50165443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.750550032 CEST44350165151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.750600100 CEST50165443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.750709057 CEST50165443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.750720024 CEST44350165151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.750761032 CEST44350165151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.751327038 CEST50166443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.751334906 CEST44350166151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.751409054 CEST50166443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.751497030 CEST50166443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.751507044 CEST44350166151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.751545906 CEST44350166151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.752281904 CEST50167443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.752290010 CEST44350167151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.752345085 CEST50167443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.752435923 CEST50167443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.752446890 CEST44350167151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.752486944 CEST44350167151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.752949953 CEST50168443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.752989054 CEST44350168151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.753043890 CEST50168443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.753159046 CEST50168443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.753175020 CEST44350168151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.753211975 CEST44350168151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.753923893 CEST50169443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.753932953 CEST44350169151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.753990889 CEST50169443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.754097939 CEST50169443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.754110098 CEST44350169151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.754154921 CEST44350169151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.754600048 CEST50170443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.754606962 CEST44350170151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.754657984 CEST50170443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.754774094 CEST50170443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.754785061 CEST44350170151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.754827023 CEST44350170151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.755537033 CEST50171443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.755567074 CEST44350171151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.755629063 CEST50171443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.755727053 CEST50171443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.755739927 CEST44350171151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.755791903 CEST44350171151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.756241083 CEST50172443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.756264925 CEST44350172151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.756345987 CEST50172443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.756568909 CEST50172443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.756577969 CEST44350172151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.756620884 CEST44350172151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.757318020 CEST50173443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.757328033 CEST44350173151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.757389069 CEST50173443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.757519960 CEST50173443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.757529020 CEST44350173151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.757591963 CEST44350173151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.758057117 CEST50174443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.758063078 CEST44350174151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.758121967 CEST50174443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.758302927 CEST50174443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.758311987 CEST44350174151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.758753061 CEST44350174151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.759589911 CEST50175443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.759680033 CEST44350175151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.759923935 CEST50175443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.759923935 CEST50175443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.759948015 CEST44350175151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.760284901 CEST44350175151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.761219025 CEST50176443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.761229038 CEST44350176151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.761290073 CEST50176443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.761418104 CEST50176443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.761425972 CEST44350176151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.761465073 CEST44350176151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.762465954 CEST50177443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.762490988 CEST44350177151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.762554884 CEST50177443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.762640953 CEST50177443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.762650013 CEST44350177151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.762664080 CEST44350177151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.763519049 CEST50178443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.763530970 CEST44350178151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.763586998 CEST50178443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.763727903 CEST50178443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.763735056 CEST44350178151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.763747931 CEST44350178151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.764880896 CEST50179443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.764900923 CEST44350179151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.764960051 CEST50179443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.765062094 CEST50179443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.765072107 CEST44350179151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.765089989 CEST44350179151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.765933990 CEST50180443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.765958071 CEST44350180151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.766014099 CEST50180443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.766110897 CEST50180443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.766122103 CEST44350180151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.766139030 CEST44350180151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.767055035 CEST50181443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.767072916 CEST44350181151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.767127037 CEST50181443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.767313004 CEST50181443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.767321110 CEST44350181151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.767334938 CEST44350181151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.768028021 CEST50182443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.768038034 CEST44350182151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.768090010 CEST50182443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.768187046 CEST50182443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.768193960 CEST44350182151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.768208027 CEST44350182151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.769268036 CEST50183443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.769284010 CEST44350183151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.769334078 CEST50183443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.769505024 CEST50183443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.769515991 CEST44350183151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.769530058 CEST44350183151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.770389080 CEST50184443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.770414114 CEST44350184151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.770467043 CEST50184443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.770910025 CEST50184443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.770920992 CEST44350184151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.770936966 CEST44350184151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.772037983 CEST50185443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.772062063 CEST44350185151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.772121906 CEST50185443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.772195101 CEST50185443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.772207022 CEST44350185151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.772222996 CEST44350185151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.772936106 CEST50186443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.772948027 CEST44350186151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.772999048 CEST50186443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.773185968 CEST50186443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.773195982 CEST44350186151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.773211002 CEST44350186151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.774189949 CEST50187443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.774210930 CEST44350187151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.774370909 CEST50187443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.774805069 CEST50187443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.774813890 CEST44350187151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.774827003 CEST44350187151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.775402069 CEST50188443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.775430918 CEST44350188151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.775497913 CEST50188443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.775614977 CEST50188443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.775629044 CEST44350188151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.775641918 CEST44350188151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.776525021 CEST50189443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.776535034 CEST44350189151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.776601076 CEST50189443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.776779890 CEST50189443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.776788950 CEST44350189151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.776807070 CEST44350189151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.777412891 CEST50190443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.777420998 CEST44350190151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.777479887 CEST50190443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.777550936 CEST50190443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.777560949 CEST44350190151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.777575970 CEST44350190151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.778532982 CEST50191443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.778564930 CEST44350191151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.778630018 CEST50191443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.778697014 CEST50191443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.778709888 CEST44350191151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.778723955 CEST44350191151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.779398918 CEST50192443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.779407978 CEST44350192151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.779473066 CEST50192443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.779637098 CEST50192443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.779643059 CEST44350192151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.779654980 CEST44350192151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.780509949 CEST50193443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.780531883 CEST44350193151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.780592918 CEST50193443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.780699015 CEST50193443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.780710936 CEST44350193151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.780725956 CEST44350193151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.781289101 CEST50194443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.781296968 CEST44350194151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.781356096 CEST50194443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.781472921 CEST50194443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.781481028 CEST44350194151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.781493902 CEST44350194151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.782257080 CEST50195443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.782263041 CEST44350195151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.782306910 CEST50195443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.782397032 CEST50195443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.782402039 CEST44350195151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.782413006 CEST44350195151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.782953024 CEST50196443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.782979012 CEST44350196151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.783041000 CEST50196443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.783127069 CEST50196443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.783138037 CEST44350196151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.783150911 CEST44350196151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.784024000 CEST50197443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.784053087 CEST44350197151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.784132004 CEST50197443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.784198999 CEST50197443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.784208059 CEST44350197151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.784224987 CEST44350197151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.784813881 CEST50198443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.784821987 CEST44350198151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.784883022 CEST50198443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.784959078 CEST50198443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.784967899 CEST44350198151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.784984112 CEST44350198151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.786041021 CEST50199443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.786060095 CEST44350199151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.786117077 CEST50199443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.786226988 CEST50199443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.786236048 CEST44350199151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.786248922 CEST44350199151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.786950111 CEST50200443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.786957979 CEST44350200151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.787013054 CEST50200443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.787141085 CEST50200443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.787148952 CEST44350200151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.787163973 CEST44350200151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.788096905 CEST50201443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.788127899 CEST44350201151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.788187027 CEST50201443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.788264990 CEST50201443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.788275957 CEST44350201151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.788289070 CEST44350201151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.789060116 CEST50202443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.789083958 CEST44350202151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.789138079 CEST50202443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.789275885 CEST50202443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.789288044 CEST44350202151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.789300919 CEST44350202151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.791090012 CEST50203443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.791096926 CEST44350203151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.791152954 CEST50203443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.791265011 CEST50203443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.791275978 CEST44350203151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.791290045 CEST44350203151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.792102098 CEST50204443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.792125940 CEST44350204151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.792185068 CEST50204443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.792299032 CEST50204443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.792309046 CEST44350204151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.792323112 CEST44350204151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.793720961 CEST50205443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.793745041 CEST44350205151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.793873072 CEST50205443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.793942928 CEST50205443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.793952942 CEST44350205151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.793967009 CEST44350205151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.794676065 CEST50206443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.794699907 CEST44350206151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.794790983 CEST50206443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.794972897 CEST50206443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.794981956 CEST44350206151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.794996977 CEST44350206151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.795918941 CEST50207443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.795926094 CEST44350207151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.795980930 CEST50207443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.796071053 CEST50207443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.796080112 CEST44350207151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.796096087 CEST44350207151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.796672106 CEST50208443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.796679020 CEST44350208151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.796740055 CEST50208443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.796808958 CEST50208443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.796817064 CEST44350208151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.796830893 CEST44350208151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.797693968 CEST50209443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.797719955 CEST44350209151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.797791004 CEST50209443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.797995090 CEST50209443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.798002958 CEST44350209151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.798017025 CEST44350209151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.798671007 CEST50210443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.798691034 CEST44350210151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.798820019 CEST50210443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.798820019 CEST50210443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.798836946 CEST44350210151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.798860073 CEST44350210151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.799747944 CEST50211443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.799756050 CEST44350211151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.799818993 CEST50211443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.799880028 CEST50211443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.799889088 CEST44350211151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.799906969 CEST44350211151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.800606966 CEST50212443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.800615072 CEST44350212151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.800677061 CEST50212443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.800842047 CEST50212443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.800851107 CEST44350212151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.800872087 CEST44350212151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.801750898 CEST50213443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.801779032 CEST44350213151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.801857948 CEST50213443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.801990032 CEST50213443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.802002907 CEST44350213151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.802018881 CEST44350213151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.802597046 CEST50214443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.802619934 CEST44350214151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.802670002 CEST50214443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.802829027 CEST50214443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.802840948 CEST44350214151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.802864075 CEST44350214151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.803703070 CEST50215443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.803709984 CEST44350215151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.803767920 CEST50215443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.803890944 CEST50215443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.803900003 CEST44350215151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.803914070 CEST44350215151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.804660082 CEST50216443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.804685116 CEST44350216151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.804728985 CEST50216443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.804810047 CEST50216443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.804820061 CEST44350216151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.804831028 CEST44350216151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.805689096 CEST50217443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.805697918 CEST44350217151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.805756092 CEST50217443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.805896044 CEST50217443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.805903912 CEST44350217151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.805917025 CEST44350217151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.806550980 CEST50218443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.806559086 CEST44350218151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.806602001 CEST50218443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.806682110 CEST50218443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.806690931 CEST44350218151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.806704044 CEST44350218151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.807709932 CEST50219443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.807724953 CEST44350219151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.807771921 CEST50219443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.807893038 CEST50219443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.807900906 CEST44350219151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.807912111 CEST44350219151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.808533907 CEST50220443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.808543921 CEST44350220151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.808589935 CEST50220443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.808662891 CEST50220443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.808667898 CEST44350220151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.808679104 CEST44350220151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.809564114 CEST50221443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.809577942 CEST44350221151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.809684038 CEST50221443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.809766054 CEST50221443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.809773922 CEST44350221151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.809788942 CEST44350221151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.810462952 CEST50222443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.810468912 CEST44350222151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.810523987 CEST50222443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.810609102 CEST50222443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.810617924 CEST44350222151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.810631990 CEST44350222151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.811528921 CEST50223443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.811539888 CEST44350223151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.811594009 CEST50223443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.811711073 CEST50223443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.811717033 CEST44350223151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.811728954 CEST44350223151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.812400103 CEST50224443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.812431097 CEST44350224151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.812488079 CEST50224443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.812601089 CEST50224443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.812614918 CEST44350224151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.812628031 CEST44350224151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.813667059 CEST50225443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.813674927 CEST44350225151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.813724041 CEST50225443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.813829899 CEST50225443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.813839912 CEST44350225151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.813853979 CEST44350225151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.814610958 CEST50226443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.814618111 CEST44350226151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.814667940 CEST50226443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.814753056 CEST50226443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.814762115 CEST44350226151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.814774990 CEST44350226151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.815733910 CEST50227443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.815762043 CEST44350227151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.815821886 CEST50227443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.815929890 CEST50227443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.815942049 CEST44350227151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.815956116 CEST44350227151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.816597939 CEST50228443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.816622972 CEST44350228151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.816729069 CEST50228443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.816863060 CEST50228443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.816870928 CEST44350228151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.816884041 CEST44350228151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.817936897 CEST50229443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.817945957 CEST44350229151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.818003893 CEST50229443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.818114042 CEST50229443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.818123102 CEST44350229151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.818136930 CEST44350229151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.818823099 CEST50230443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.818830967 CEST44350230151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.818886042 CEST50230443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.818974972 CEST50230443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.818983078 CEST44350230151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.818996906 CEST44350230151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.820004940 CEST50231443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.820020914 CEST44350231151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.820147038 CEST50231443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.820275068 CEST50231443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.820285082 CEST44350231151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.820300102 CEST44350231151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.821425915 CEST50232443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.821434021 CEST44350232151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.821480989 CEST50232443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.821763992 CEST50232443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.821774960 CEST44350232151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.821789026 CEST44350232151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.823901892 CEST50233443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.823910952 CEST44350233151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.823957920 CEST50233443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.824136019 CEST50233443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.824142933 CEST44350233151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.824157953 CEST44350233151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.825205088 CEST50234443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.825212002 CEST44350234151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.825272083 CEST50234443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.825429916 CEST50234443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.825438023 CEST44350234151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.825452089 CEST44350234151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.826698065 CEST50235443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.826705933 CEST44350235151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.826769114 CEST50235443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.826826096 CEST50235443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.826834917 CEST44350235151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.826850891 CEST44350235151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.827672005 CEST50236443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.827681065 CEST44350236151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.827733994 CEST50236443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.828042030 CEST50236443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.828052044 CEST44350236151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.828068972 CEST44350236151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.829929113 CEST50237443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.829953909 CEST44350237151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.830010891 CEST50237443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.830199957 CEST50237443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.830210924 CEST44350237151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.830224037 CEST44350237151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.831350088 CEST50238443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.831362009 CEST44350238151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.831420898 CEST50238443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.832180023 CEST50238443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.832191944 CEST44350238151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.832209110 CEST44350238151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.833919048 CEST50239443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.833925962 CEST44350239151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.833971024 CEST50239443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.834052086 CEST50239443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.834059954 CEST44350239151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.834075928 CEST44350239151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.835319996 CEST50240443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.835328102 CEST44350240151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.835371971 CEST50240443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.835607052 CEST50240443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.835619926 CEST44350240151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.835644007 CEST44350240151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.837465048 CEST50241443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.837479115 CEST44350241151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.837537050 CEST50241443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.837702036 CEST50241443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.837711096 CEST44350241151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.837728024 CEST44350241151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.838555098 CEST50242443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.838565111 CEST44350242151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.838613033 CEST50242443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.838747025 CEST50242443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.838754892 CEST44350242151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.838769913 CEST44350242151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.839921951 CEST50243443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.839930058 CEST44350243151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.839982033 CEST50243443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.840089083 CEST50243443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.840101957 CEST44350243151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.840120077 CEST44350243151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.841073990 CEST50244443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.841082096 CEST44350244151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.841129065 CEST50244443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.841196060 CEST50244443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.841207981 CEST44350244151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.841226101 CEST44350244151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.852413893 CEST50245443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.852452040 CEST44350245151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.852519035 CEST50245443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.852758884 CEST50245443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.852772951 CEST44350245151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.852819920 CEST44350245151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.853513956 CEST50246443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.853524923 CEST44350246151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.853590012 CEST50246443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.853672981 CEST50246443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.853681087 CEST44350246151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.853698015 CEST44350246151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.854857922 CEST50247443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.854866982 CEST44350247151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.854917049 CEST50247443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.855009079 CEST50247443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.855020046 CEST44350247151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.855038881 CEST44350247151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.855799913 CEST50248443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.855837107 CEST44350248151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.855896950 CEST50248443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.855956078 CEST50248443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.855973959 CEST44350248151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.855988979 CEST44350248151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.857141972 CEST50249443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.857151031 CEST44350249151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.857207060 CEST50249443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.857300997 CEST50249443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.857311964 CEST44350249151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.857332945 CEST44350249151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.858290911 CEST50250443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.858298063 CEST44350250151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.858345985 CEST50250443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.858500004 CEST50250443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.858510017 CEST44350250151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.858530045 CEST44350250151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.859755993 CEST50251443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.859785080 CEST44350251151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.859832048 CEST50251443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.859899044 CEST50251443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.859913111 CEST44350251151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.859927893 CEST44350251151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.860887051 CEST50252443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.860919952 CEST44350252151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.860970974 CEST50252443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.861205101 CEST50252443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.861223936 CEST44350252151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.861239910 CEST44350252151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.862188101 CEST50253443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.862215996 CEST44350253151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.862262964 CEST50253443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.862442017 CEST50253443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.862457991 CEST44350253151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.862478018 CEST44350253151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.863533020 CEST50254443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.863543987 CEST44350254151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.863589048 CEST50254443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.863666058 CEST50254443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.863677979 CEST44350254151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.863719940 CEST44350254151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.864927053 CEST50255443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.864950895 CEST44350255151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.865045071 CEST50255443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.865173101 CEST50255443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.865185022 CEST44350255151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.865223885 CEST44350255151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.866641998 CEST50256443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.866662025 CEST44350256151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.866708994 CEST50256443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.867021084 CEST50256443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.867033005 CEST44350256151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.867072105 CEST44350256151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.868880987 CEST50257443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.868889093 CEST44350257151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.868933916 CEST50257443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.869229078 CEST50257443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.869240046 CEST44350257151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.869282961 CEST44350257151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.873794079 CEST50258443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.873800993 CEST44350258151.236.9.174192.168.2.6
                      Sep 18, 2024 17:23:02.873842001 CEST50258443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.875915051 CEST50258443192.168.2.6151.236.9.174
                      Sep 18, 2024 17:23:02.875926971 CEST44350258151.236.9.174192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Sep 18, 2024 17:23:02.080801964 CEST192.168.2.61.1.1.10xab6fStandard query (0)outlook-web.ddns.netA (IP address)IN (0x0001)false
                      Sep 18, 2024 17:24:02.327002048 CEST192.168.2.61.1.1.10x5035Standard query (0)outlook-web.ddns.netA (IP address)IN (0x0001)false
                      Sep 18, 2024 17:25:02.805036068 CEST192.168.2.61.1.1.10xacc2Standard query (0)outlook-web.ddns.netA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Sep 18, 2024 17:23:02.091738939 CEST1.1.1.1192.168.2.60xab6fNo error (0)outlook-web.ddns.net151.236.9.174A (IP address)IN (0x0001)false
                      Sep 18, 2024 17:24:02.335551023 CEST1.1.1.1192.168.2.60x5035No error (0)outlook-web.ddns.net151.236.9.174A (IP address)IN (0x0001)false
                      Sep 18, 2024 17:25:02.813792944 CEST1.1.1.1192.168.2.60xacc2No error (0)outlook-web.ddns.net151.236.9.174A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:11:22:55
                      Start date:18/09/2024
                      Path:C:\Windows\System32\msiexec.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\msws.msi"
                      Imagebase:0x7ff7d38d0000
                      File size:69'632 bytes
                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:1
                      Start time:11:22:55
                      Start date:18/09/2024
                      Path:C:\Windows\System32\msiexec.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\msiexec.exe /V
                      Imagebase:0x7ff7d38d0000
                      File size:69'632 bytes
                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:3
                      Start time:11:22:57
                      Start date:18/09/2024
                      Path:C:\Windows\SysWOW64\msiexec.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B12D13CACE43515F68A41F2B0DDB3F8C
                      Imagebase:0x250000
                      File size:59'904 bytes
                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:4
                      Start time:11:22:58
                      Start date:18/09/2024
                      Path:C:\Windows\SysWOW64\expand.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\expand.exe" -R files.cab -F:* files
                      Imagebase:0xc0000
                      File size:53'248 bytes
                      MD5 hash:544B0DBFF3F393BCE8BB9D815F532D51
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:5
                      Start time:11:22:58
                      Start date:18/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:11:22:59
                      Start date:18/09/2024
                      Path:C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe"
                      Imagebase:0x2de00000
                      File size:151'392 bytes
                      MD5 hash:FC860959580C124E7E4781BB08437681
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_ORPCBackdoor, Description: Yara detected ORPCBackdoor, Source: 00000006.00000002.3381013468.0000000000AFD000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:7
                      Start time:11:23:01
                      Start date:18/09/2024
                      Path:C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\MW-7ee27cdf-ebd4-42c2-9cd8-711a0386958b\files\MSWordServices.exe
                      Imagebase:0x2de00000
                      File size:151'392 bytes
                      MD5 hash:FC860959580C124E7E4781BB08437681
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:10
                      Start time:11:23:03
                      Start date:18/09/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1008
                      Imagebase:0x8a0000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:6.7%
                        Dynamic/Decrypted Code Coverage:2.6%
                        Signature Coverage:48.8%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:22
                        execution_graph 41829 6c8e1e9e 41830 6c8e1edc 41829->41830 41831 6c8e1ea9 41829->41831 41857 6c8e1ff8 264 API calls 4 library calls 41830->41857 41833 6c8e1ece 41831->41833 41834 6c8e1eae 41831->41834 41841 6c8e1ef1 41833->41841 41835 6c8e1ec4 41834->41835 41836 6c8e1eb3 41834->41836 41856 6c8e22b0 23 API calls 41835->41856 41840 6c8e1eb8 41836->41840 41855 6c8e22cf 21 API calls 41836->41855 41842 6c8e1efd __FrameHandler3::FrameUnwindToState 41841->41842 41858 6c8e2340 41842->41858 41844 6c8e1f04 __DllMainCRTStartup@12 41845 6c8e1f2b 41844->41845 41846 6c8e1ff0 41844->41846 41852 6c8e1f67 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 41844->41852 41869 6c8e22a2 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 41845->41869 41872 6c8e270b 4 API calls 2 library calls 41846->41872 41849 6c8e1ff7 41850 6c8e1f3a __RTC_Initialize 41850->41852 41870 6c8e26ca InitializeSListHead 41850->41870 41852->41840 41853 6c8e1f48 41853->41852 41871 6c8e2277 IsProcessorFeaturePresent ___scrt_release_startup_lock 41853->41871 41855->41840 41856->41840 41857->41840 41859 6c8e2349 41858->41859 41873 6c8e28d5 IsProcessorFeaturePresent 41859->41873 41861 6c8e2355 41874 6c8e51c5 10 API calls 2 library calls 41861->41874 41863 6c8e235a 41868 6c8e235e 41863->41868 41875 6c8efe19 41863->41875 41866 6c8e2375 41866->41844 41868->41844 41869->41850 41870->41853 41871->41852 41872->41849 41873->41861 41874->41863 41879 6c8fb590 41875->41879 41878 6c8e51fa 7 API calls 2 library calls 41878->41868 41880 6c8e2367 41879->41880 41881 6c8fb5a0 41879->41881 41880->41866 41880->41878 41881->41880 41883 6c8f3363 41881->41883 41884 6c8f336f __FrameHandler3::FrameUnwindToState 41883->41884 41895 6c8edd5c EnterCriticalSection 41884->41895 41886 6c8f3376 41896 6c8fdc89 41886->41896 41891 6c8f338f 41910 6c8f32b3 GetStdHandle GetFileType 41891->41910 41892 6c8f33a5 41892->41881 41894 6c8f3394 41911 6c8f33ba LeaveCriticalSection std::_Lockit::~_Lockit 41894->41911 41895->41886 41897 6c8fdc95 __FrameHandler3::FrameUnwindToState 41896->41897 41898 6c8fdcbf 41897->41898 41899 6c8fdc9e 41897->41899 41912 6c8edd5c EnterCriticalSection 41898->41912 41920 6c8e6bae 14 API calls __dosmaperr 41899->41920 41902 6c8fdca3 41921 6c8e692f 36 API calls __wsopen_s 41902->41921 41905 6c8f3385 41905->41894 41909 6c8f31fd 39 API calls 41905->41909 41907 6c8fdccb 41908 6c8fdcf7 41907->41908 41913 6c8fdbd9 41907->41913 41922 6c8fdd1e LeaveCriticalSection std::_Lockit::~_Lockit 41908->41922 41909->41891 41910->41894 41911->41892 41912->41907 41923 6c8f2682 41913->41923 41915 6c8fdbf8 41931 6c8f26df 41915->41931 41917 6c8fdbeb 41917->41915 41930 6c8f2f36 6 API calls std::_Lockit::_Lockit 41917->41930 41920->41902 41921->41905 41922->41905 41929 6c8f268f __Getctype 41923->41929 41924 6c8f26cf 41938 6c8e6bae 14 API calls __dosmaperr 41924->41938 41925 6c8f26ba RtlAllocateHeap 41927 6c8f26cd 41925->41927 41925->41929 41927->41917 41929->41924 41929->41925 41937 6c8ef04b EnterCriticalSection LeaveCriticalSection std::_Facet_Register 41929->41937 41930->41917 41932 6c8f26ea HeapFree 41931->41932 41933 6c8f2714 41931->41933 41932->41933 41934 6c8f26ff GetLastError 41932->41934 41933->41907 41935 6c8f270c __dosmaperr 41934->41935 41939 6c8e6bae 14 API calls __dosmaperr 41935->41939 41937->41929 41938->41927 41939->41933 41940 6c8e21de 41941 6c8e21ec 41940->41941 41942 6c8e21e7 41940->41942 41946 6c8e20a8 41941->41946 41961 6c8e267f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 41942->41961 41949 6c8e20b4 __FrameHandler3::FrameUnwindToState 41946->41949 41947 6c8e20c3 41948 6c8e20dd dllmain_raw 41948->41947 41951 6c8e20f7 dllmain_crt_dispatch 41948->41951 41949->41947 41949->41948 41950 6c8e20d8 41949->41950 41962 6c8de49b 41950->41962 41951->41947 41951->41950 41954 6c8e2149 41954->41947 41955 6c8e2152 dllmain_crt_dispatch 41954->41955 41955->41947 41956 6c8e2165 dllmain_raw 41955->41956 41956->41947 41957 6c8de49b __DllMainCRTStartup@12 249 API calls 41958 6c8e2130 41957->41958 41967 6c8e1ff8 264 API calls 4 library calls 41958->41967 41960 6c8e213e dllmain_raw 41960->41954 41961->41941 41963 6c8de4ab 41962->41963 41964 6c8de4b0 41962->41964 41963->41954 41963->41957 41968 6c8d7e8d 41964->41968 41967->41960 41971 6c8d4f22 41968->41971 41970 6c8d7e9a 15 API calls 41970->41963 41972 6c8d4f44 __DllMainCRTStartup@12 41971->41972 42368 6c8d320c 41972->42368 41974 6c8d4f71 Sleep 42372 6c8de75b 41974->42372 41976 6c8d4fa4 41977 6c8d320c __DllMainCRTStartup@12 38 API calls 41976->41977 41978 6c8d4fb9 GetModuleFileNameA 41977->41978 41979 6c8d320c __DllMainCRTStartup@12 38 API calls 41978->41979 41980 6c8d4fea __DllMainCRTStartup@12 41979->41980 42380 6c8dcafb 41980->42380 41983 6c8de75b __DllMainCRTStartup@12 41 API calls 41984 6c8d5042 41983->41984 41985 6c8d320c __DllMainCRTStartup@12 38 API calls 41984->41985 41986 6c8d5057 41985->41986 42384 6c8d15ca 41986->42384 41988 6c8d5083 __DllMainCRTStartup@12 41989 6c8d508d CreateFileA 41988->41989 42390 6c8d4149 41989->42390 41991 6c8d50a5 41992 6c8d50ae CloseHandle Sleep 41991->41992 41993 6c8d5126 CloseHandle 41991->41993 42393 6c8dcb90 CoInitializeEx 41992->42393 41995 6c8d5132 41993->41995 42565 6c8d7e9f CreateToolhelp32Snapshot 41995->42565 41996 6c8d50ca 41998 6c8d15ca __DllMainCRTStartup@12 38 API calls 41996->41998 41999 6c8d50f6 __DllMainCRTStartup@12 41998->41999 42002 6c8d5100 CreateFileA 41999->42002 42000 6c8d514e GetUserNameA 42004 6c8d320c __DllMainCRTStartup@12 38 API calls 42000->42004 42001 6c8d51b4 42582 6c8dea93 42001->42582 42005 6c8d4149 __DllMainCRTStartup@12 36 API calls 42002->42005 42015 6c8d513e __DllMainCRTStartup@12 42004->42015 42007 6c8d5118 CloseHandle 42005->42007 42006 6c8d51cf 42008 6c8de75b __DllMainCRTStartup@12 41 API calls 42006->42008 42007->41995 42009 6c8d51f8 42008->42009 42010 6c8d320c __DllMainCRTStartup@12 38 API calls 42009->42010 42011 6c8d520d 42010->42011 43060 6c8d30d6 42011->43060 42013 6c8d4149 __DllMainCRTStartup@12 36 API calls 42013->42015 42014 6c8d521f 43064 6c8d4a2e 42014->43064 42015->42000 42015->42001 42015->42013 42017 6c8d51b6 Sleep 42015->42017 42017->42015 42019 6c8de75b __DllMainCRTStartup@12 41 API calls 42020 6c8d5257 42019->42020 42021 6c8d320c __DllMainCRTStartup@12 38 API calls 42020->42021 42022 6c8d526c 42021->42022 42023 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42022->42023 42024 6c8d527e 42023->42024 43067 6c8d16a1 42024->43067 42027 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42028 6c8d52a5 42027->42028 42029 6c8d4149 __DllMainCRTStartup@12 36 API calls 42028->42029 42030 6c8d52b0 42029->42030 42031 6c8de75b __DllMainCRTStartup@12 41 API calls 42030->42031 42032 6c8d52dc 42031->42032 42033 6c8d320c __DllMainCRTStartup@12 38 API calls 42032->42033 42034 6c8d52f1 42033->42034 42035 6c8d15ca __DllMainCRTStartup@12 38 API calls 42034->42035 42036 6c8d531d __DllMainCRTStartup@12 42035->42036 42037 6c8d5327 CreateFileA 42036->42037 42038 6c8d4149 __DllMainCRTStartup@12 36 API calls 42037->42038 42039 6c8d533f 42038->42039 42040 6c8d5348 ReadFile 42039->42040 42041 6c8d5365 42039->42041 42042 6c8d537a 42040->42042 42041->42042 43089 6c8e1d63 5 API calls __DllMainCRTStartup@12 42041->43089 42043 6c8d53a1 42042->42043 43090 6c8e1d63 5 API calls __DllMainCRTStartup@12 42042->43090 42045 6c8d53a8 CloseHandle 42043->42045 42047 6c8d320c __DllMainCRTStartup@12 38 API calls 42045->42047 42048 6c8d53cf 42047->42048 42049 6c8d320c __DllMainCRTStartup@12 38 API calls 42048->42049 42050 6c8d53df 42049->42050 42051 6c8de75b __DllMainCRTStartup@12 41 API calls 42050->42051 42052 6c8d5405 42051->42052 42053 6c8d320c __DllMainCRTStartup@12 38 API calls 42052->42053 42054 6c8d541a 42053->42054 42055 6c8d15ca __DllMainCRTStartup@12 38 API calls 42054->42055 42056 6c8d543b __DllMainCRTStartup@12 42055->42056 43073 6c8e8f90 42056->43073 42058 6c8d544b 42059 6c8d4149 __DllMainCRTStartup@12 36 API calls 42058->42059 42060 6c8d5457 Sleep 42059->42060 42061 6c8de75b __DllMainCRTStartup@12 41 API calls 42060->42061 42062 6c8d5493 42061->42062 42063 6c8d320c __DllMainCRTStartup@12 38 API calls 42062->42063 42064 6c8d54a8 42063->42064 42065 6c8de75b __DllMainCRTStartup@12 41 API calls 42064->42065 42066 6c8d54d0 42065->42066 42067 6c8d320c __DllMainCRTStartup@12 38 API calls 42066->42067 42068 6c8d54e5 42067->42068 42069 6c8de75b __DllMainCRTStartup@12 41 API calls 42068->42069 42070 6c8d5507 42069->42070 42071 6c8d320c __DllMainCRTStartup@12 38 API calls 42070->42071 42072 6c8d551c 42071->42072 42073 6c8de75b __DllMainCRTStartup@12 41 API calls 42072->42073 42074 6c8d553a 42073->42074 42075 6c8d320c __DllMainCRTStartup@12 38 API calls 42074->42075 42076 6c8d554f 42075->42076 42077 6c8de75b __DllMainCRTStartup@12 41 API calls 42076->42077 42078 6c8d556d 42077->42078 42079 6c8d320c __DllMainCRTStartup@12 38 API calls 42078->42079 42080 6c8d5582 42079->42080 42081 6c8de75b __DllMainCRTStartup@12 41 API calls 42080->42081 42082 6c8d55a2 42081->42082 42083 6c8d320c __DllMainCRTStartup@12 38 API calls 42082->42083 42084 6c8d55b4 42083->42084 42085 6c8de75b __DllMainCRTStartup@12 41 API calls 42084->42085 42086 6c8d55d4 42085->42086 42087 6c8d320c __DllMainCRTStartup@12 38 API calls 42086->42087 42088 6c8d55e6 42087->42088 42089 6c8de75b __DllMainCRTStartup@12 41 API calls 42088->42089 42090 6c8d5607 42089->42090 42091 6c8d320c __DllMainCRTStartup@12 38 API calls 42090->42091 42092 6c8d5619 42091->42092 42093 6c8de75b __DllMainCRTStartup@12 41 API calls 42092->42093 42094 6c8d563b 42093->42094 42095 6c8d320c __DllMainCRTStartup@12 38 API calls 42094->42095 42096 6c8d564d 42095->42096 42097 6c8de75b __DllMainCRTStartup@12 41 API calls 42096->42097 42098 6c8d5672 42097->42098 42099 6c8d320c __DllMainCRTStartup@12 38 API calls 42098->42099 42100 6c8d5687 42099->42100 42101 6c8de75b __DllMainCRTStartup@12 41 API calls 42100->42101 42102 6c8d56a9 42101->42102 42103 6c8d320c __DllMainCRTStartup@12 38 API calls 42102->42103 42104 6c8d56be 42103->42104 42105 6c8de75b __DllMainCRTStartup@12 41 API calls 42104->42105 42106 6c8d56e4 42105->42106 42107 6c8d320c __DllMainCRTStartup@12 38 API calls 42106->42107 42108 6c8d56f9 42107->42108 42109 6c8de75b __DllMainCRTStartup@12 41 API calls 42108->42109 42110 6c8d571d 42109->42110 42111 6c8d320c __DllMainCRTStartup@12 38 API calls 42110->42111 42112 6c8d5732 42111->42112 42113 6c8de75b __DllMainCRTStartup@12 41 API calls 42112->42113 42114 6c8d5756 42113->42114 42115 6c8d320c __DllMainCRTStartup@12 38 API calls 42114->42115 42116 6c8d576b 42115->42116 42117 6c8de75b __DllMainCRTStartup@12 41 API calls 42116->42117 42118 6c8d578f 42117->42118 42119 6c8d320c __DllMainCRTStartup@12 38 API calls 42118->42119 42120 6c8d57a4 42119->42120 42121 6c8de75b __DllMainCRTStartup@12 41 API calls 42120->42121 42122 6c8d57cc 42121->42122 42123 6c8d320c __DllMainCRTStartup@12 38 API calls 42122->42123 42124 6c8d57e1 42123->42124 42125 6c8de75b __DllMainCRTStartup@12 41 API calls 42124->42125 42126 6c8d5807 42125->42126 42127 6c8d320c __DllMainCRTStartup@12 38 API calls 42126->42127 42128 6c8d581c 42127->42128 42129 6c8de75b __DllMainCRTStartup@12 41 API calls 42128->42129 42130 6c8d5849 42129->42130 42131 6c8d320c __DllMainCRTStartup@12 38 API calls 42130->42131 42194 6c8d585e _strcat __fread_nolock _strncpy __DllMainCRTStartup@12 42130->42194 42131->42194 42132 6c8d7d13 42133 6c8d4149 __DllMainCRTStartup@12 36 API calls 42132->42133 42134 6c8d7d1e 42133->42134 42135 6c8d4149 __DllMainCRTStartup@12 36 API calls 42134->42135 42136 6c8d7d29 42135->42136 42138 6c8d4149 __DllMainCRTStartup@12 36 API calls 42136->42138 42137 6c8d589d CreateFileA 42139 6c8d4149 __DllMainCRTStartup@12 36 API calls 42137->42139 42140 6c8d7d34 42138->42140 42141 6c8d58b5 42139->42141 42142 6c8d4149 __DllMainCRTStartup@12 36 API calls 42140->42142 42143 6c8d5a41 RpcStringBindingComposeA RpcBindingFromStringBindingA 42141->42143 42146 6c8d58cf 42141->42146 42145 6c8d7d3f 42142->42145 43086 6c8d44b1 42143->43086 42148 6c8d4149 __DllMainCRTStartup@12 36 API calls 42145->42148 42147 6c8d4149 __DllMainCRTStartup@12 36 API calls 42146->42147 42149 6c8d58e1 42147->42149 42150 6c8d7d4a 42148->42150 42151 6c8d4149 __DllMainCRTStartup@12 36 API calls 42149->42151 42152 6c8d4149 __DllMainCRTStartup@12 36 API calls 42150->42152 42154 6c8d58ec 42151->42154 42153 6c8d7d55 42152->42153 42155 6c8d4149 __DllMainCRTStartup@12 36 API calls 42153->42155 42156 6c8d4149 __DllMainCRTStartup@12 36 API calls 42154->42156 42157 6c8d7d60 42155->42157 42158 6c8d58f7 42156->42158 42159 6c8d4149 __DllMainCRTStartup@12 36 API calls 42157->42159 42160 6c8d4149 __DllMainCRTStartup@12 36 API calls 42158->42160 42161 6c8d7d6b 42159->42161 42162 6c8d5902 42160->42162 42163 6c8d4149 __DllMainCRTStartup@12 36 API calls 42161->42163 42164 6c8d4149 __DllMainCRTStartup@12 36 API calls 42162->42164 42165 6c8d7d76 42163->42165 42166 6c8d590d 42164->42166 42167 6c8d4149 __DllMainCRTStartup@12 36 API calls 42165->42167 42168 6c8d4149 __DllMainCRTStartup@12 36 API calls 42166->42168 42169 6c8d7d81 42167->42169 42170 6c8d5918 42168->42170 42171 6c8d4149 __DllMainCRTStartup@12 36 API calls 42169->42171 42172 6c8d4149 __DllMainCRTStartup@12 36 API calls 42170->42172 42173 6c8d7d8c 42171->42173 42174 6c8d5923 42172->42174 42175 6c8d4149 __DllMainCRTStartup@12 36 API calls 42173->42175 42176 6c8d4149 __DllMainCRTStartup@12 36 API calls 42174->42176 42177 6c8d7d97 42175->42177 42178 6c8d592e 42176->42178 42180 6c8d4149 __DllMainCRTStartup@12 36 API calls 42177->42180 42179 6c8d4149 __DllMainCRTStartup@12 36 API calls 42178->42179 42181 6c8d5939 42179->42181 42182 6c8d7da2 42180->42182 42183 6c8d4149 __DllMainCRTStartup@12 36 API calls 42181->42183 42184 6c8d4149 __DllMainCRTStartup@12 36 API calls 42182->42184 42186 6c8d5944 42183->42186 42185 6c8d7dad 42184->42185 42187 6c8d4149 __DllMainCRTStartup@12 36 API calls 42185->42187 42188 6c8d4149 __DllMainCRTStartup@12 36 API calls 42186->42188 42189 6c8d7db8 42187->42189 42190 6c8d594f 42188->42190 42192 6c8d4149 __DllMainCRTStartup@12 36 API calls 42189->42192 42193 6c8d4149 __DllMainCRTStartup@12 36 API calls 42190->42193 42195 6c8d7dc3 42192->42195 42196 6c8d595a 42193->42196 42194->42132 42194->42137 42250 6c8d5e06 __DllMainCRTStartup@12 42194->42250 42258 6c8d7c2b Sleep 42194->42258 42278 6c8d4218 36 API calls __DllMainCRTStartup@12 42194->42278 42290 6c8d7cd3 RpcStringFreeA 42194->42290 42293 6c8e6ee3 23 API calls __DllMainCRTStartup@12 42194->42293 42307 6c8d320c 38 API calls __DllMainCRTStartup@12 42194->42307 42309 6c8d1584 38 API calls __DllMainCRTStartup@12 42194->42309 42311 6c8d30d6 38 API calls __DllMainCRTStartup@12 42194->42311 42322 6c8dcafb __DllMainCRTStartup@12 38 API calls 42194->42322 42330 6c8d4a2e 38 API calls __DllMainCRTStartup@12 42194->42330 42344 6c8d44b1 38 API calls __DllMainCRTStartup@12 42194->42344 42348 6c8d15ca 38 API calls __DllMainCRTStartup@12 42194->42348 42352 6c8d15a7 38 API calls __DllMainCRTStartup@12 42194->42352 42354 6c8d4149 36 API calls __DllMainCRTStartup@12 42194->42354 42355 6c8d80d7 44 API calls __DllMainCRTStartup@12 42194->42355 42356 6c8d7fae 46 API calls __DllMainCRTStartup@12 42194->42356 42367 6c8d5ffd _strcat __fread_nolock __DllMainCRTStartup@12 42194->42367 43091 6c8d326b 38 API calls 2 library calls 42194->43091 43099 6c8d4481 36 API calls __DllMainCRTStartup@12 42194->43099 43100 6c8d4a44 38 API calls __DllMainCRTStartup@12 42194->43100 43101 6c8d170a 42194->43101 43107 6c8e792e 39 API calls 2 library calls 42194->43107 43108 6c8ddba9 38 API calls __DllMainCRTStartup@12 42194->43108 43109 6c8d156a 38 API calls __DllMainCRTStartup@12 42194->43109 43110 6c8ddbbe 38 API calls __DllMainCRTStartup@12 42194->43110 43113 6c8dc9e5 41 API calls 3 library calls 42194->43113 42197 6c8d4149 __DllMainCRTStartup@12 36 API calls 42195->42197 42198 6c8d4149 __DllMainCRTStartup@12 36 API calls 42196->42198 42199 6c8d7dce 42197->42199 42200 6c8d5965 42198->42200 42201 6c8d4149 __DllMainCRTStartup@12 36 API calls 42199->42201 42202 6c8d4149 __DllMainCRTStartup@12 36 API calls 42200->42202 42203 6c8d7dd9 42201->42203 42204 6c8d5970 42202->42204 42205 6c8d4149 __DllMainCRTStartup@12 36 API calls 42203->42205 42206 6c8d4149 __DllMainCRTStartup@12 36 API calls 42204->42206 42207 6c8d7de4 42205->42207 42208 6c8d597b 42206->42208 42209 6c8d4149 __DllMainCRTStartup@12 36 API calls 42207->42209 42210 6c8d4149 __DllMainCRTStartup@12 36 API calls 42208->42210 42211 6c8d7def 42209->42211 42212 6c8d5986 42210->42212 42214 6c8d4149 __DllMainCRTStartup@12 36 API calls 42211->42214 42213 6c8d4149 __DllMainCRTStartup@12 36 API calls 42212->42213 42215 6c8d5991 42213->42215 42216 6c8d7dfa 42214->42216 42217 6c8d4149 __DllMainCRTStartup@12 36 API calls 42215->42217 42218 6c8d4149 __DllMainCRTStartup@12 36 API calls 42216->42218 42220 6c8d599c 42217->42220 42219 6c8d7e05 42218->42219 42221 6c8d4149 __DllMainCRTStartup@12 36 API calls 42219->42221 42222 6c8d4149 __DllMainCRTStartup@12 36 API calls 42220->42222 42223 6c8d7e10 42221->42223 42224 6c8d59a7 42222->42224 42225 6c8d4149 __DllMainCRTStartup@12 36 API calls 42223->42225 42226 6c8d4149 __DllMainCRTStartup@12 36 API calls 42224->42226 42227 6c8d7e1b 42225->42227 42228 6c8d59b2 42226->42228 42229 6c8d4149 __DllMainCRTStartup@12 36 API calls 42227->42229 42230 6c8d4149 __DllMainCRTStartup@12 36 API calls 42228->42230 42231 6c8d7e26 42229->42231 42232 6c8d59bd 42230->42232 42233 6c8d4149 __DllMainCRTStartup@12 36 API calls 42231->42233 42234 6c8d4149 __DllMainCRTStartup@12 36 API calls 42232->42234 42235 6c8d7e31 42233->42235 42236 6c8d59c8 42234->42236 42237 6c8d4149 __DllMainCRTStartup@12 36 API calls 42235->42237 42238 6c8d4149 __DllMainCRTStartup@12 36 API calls 42236->42238 42239 6c8d7e3c 42237->42239 42240 6c8d59d3 42238->42240 42241 6c8d4149 __DllMainCRTStartup@12 36 API calls 42239->42241 42242 6c8d4149 __DllMainCRTStartup@12 36 API calls 42240->42242 42243 6c8d7e47 42241->42243 42244 6c8d59de 42242->42244 42246 6c8d4149 __DllMainCRTStartup@12 36 API calls 42243->42246 42245 6c8d4149 __DllMainCRTStartup@12 36 API calls 42244->42245 42247 6c8d59e9 42245->42247 42248 6c8d7e52 42246->42248 42249 6c8d4149 __DllMainCRTStartup@12 36 API calls 42247->42249 42251 6c8d4149 __DllMainCRTStartup@12 36 API calls 42248->42251 42253 6c8d59f4 42249->42253 42259 6c8d5e23 __DllMainCRTStartup@12 42250->42259 42271 6c8d5eb0 __DllMainCRTStartup@12 42250->42271 42252 6c8d7e5d 42251->42252 42254 6c8d4149 __DllMainCRTStartup@12 36 API calls 42252->42254 42255 6c8d4149 __DllMainCRTStartup@12 36 API calls 42253->42255 42256 6c8d7e68 42254->42256 42257 6c8d59ff 42255->42257 42260 6c8d5a36 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42256->42260 42261 6c8d4149 __DllMainCRTStartup@12 36 API calls 42256->42261 42262 6c8d4149 __DllMainCRTStartup@12 36 API calls 42257->42262 42258->42194 43092 6c8d163c 38 API calls __DllMainCRTStartup@12 42259->43092 42260->41970 42261->42260 42263 6c8d5a0a 42262->42263 42266 6c8d4149 __DllMainCRTStartup@12 36 API calls 42263->42266 42264 6c8d5eab 42264->41970 42268 6c8d5a15 42266->42268 42267 6c8d5e4d 43093 6c8d4481 36 API calls __DllMainCRTStartup@12 42267->43093 42270 6c8d4149 __DllMainCRTStartup@12 36 API calls 42268->42270 42273 6c8d5a20 42270->42273 42271->42264 42276 6c8dcafb __DllMainCRTStartup@12 38 API calls 42271->42276 42272 6c8d5e5c 42274 6c8d4149 __DllMainCRTStartup@12 36 API calls 42272->42274 42275 6c8d4149 __DllMainCRTStartup@12 36 API calls 42273->42275 42277 6c8d5e67 __DllMainCRTStartup@12 42274->42277 42279 6c8d5a2b 42275->42279 42280 6c8d5f0d 42276->42280 43094 6c8d163c 38 API calls __DllMainCRTStartup@12 42277->43094 42278->42194 42281 6c8d4149 __DllMainCRTStartup@12 36 API calls 42279->42281 43096 6c8dc14f 38 API calls __DllMainCRTStartup@12 42280->43096 42281->42260 42282 6c8e8f90 __DllMainCRTStartup@12 41 API calls 42282->42367 42285 6c8d5e91 43095 6c8d4481 36 API calls __DllMainCRTStartup@12 42285->43095 42286 6c8d603e CreateFileA 42286->42367 42288 6c8d5f1f __DllMainCRTStartup@12 42292 6c8dcafb __DllMainCRTStartup@12 38 API calls 42288->42292 42289 6c8d5ea0 42291 6c8d4149 __DllMainCRTStartup@12 36 API calls 42289->42291 42290->42194 42291->42264 42295 6c8d5f69 42292->42295 42293->42194 42294 6c8d606a WriteFile CloseHandle 42294->42367 43097 6c8dc14f 38 API calls __DllMainCRTStartup@12 42295->43097 42297 6c8d5f7b 42299 6c8d44b1 __DllMainCRTStartup@12 38 API calls 42297->42299 42298 6c8d7c1e Sleep 42298->42194 42300 6c8d5f98 42299->42300 42301 6c8d44b1 __DllMainCRTStartup@12 38 API calls 42300->42301 42303 6c8d5fa8 42301->42303 42302 6c8d320c __DllMainCRTStartup@12 38 API calls 42302->42367 42304 6c8d4149 __DllMainCRTStartup@12 36 API calls 42303->42304 42305 6c8d5fb3 42304->42305 42305->42264 42306 6c8d4149 __DllMainCRTStartup@12 36 API calls 42305->42306 42306->42264 42307->42194 42308 6c8d4a5d 38 API calls __DllMainCRTStartup@12 42308->42367 42309->42194 42311->42194 42312 6c8d30d6 38 API calls __DllMainCRTStartup@12 42312->42367 42313 6c8d16a1 __DllMainCRTStartup@12 38 API calls 42313->42367 42317 6c8d7454 WinExec 42318 6c8d15ca __DllMainCRTStartup@12 38 API calls 42317->42318 42318->42367 42319 6c8d7816 WinExec Sleep 42320 6c8d320c __DllMainCRTStartup@12 38 API calls 42319->42320 42349 6c8d7838 _strcat __fread_nolock _strncpy __DllMainCRTStartup@12 42320->42349 42321 6c8dcafb __DllMainCRTStartup@12 38 API calls 42321->42367 42322->42194 42326 6c8dc498 82 API calls __DllMainCRTStartup@12 42326->42349 42329 6c8d4149 __DllMainCRTStartup@12 36 API calls 42329->42298 42330->42194 42333 6c8d44b1 __DllMainCRTStartup@12 38 API calls 42333->42349 42336 6c8d15ca __DllMainCRTStartup@12 38 API calls 42336->42349 42337 6c8d1584 38 API calls __DllMainCRTStartup@12 42337->42349 42338 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42338->42349 42339 6c8d4149 36 API calls __DllMainCRTStartup@12 42339->42349 42341 6c8d320c 38 API calls __DllMainCRTStartup@12 42341->42349 42342 6c8d4149 36 API calls __DllMainCRTStartup@12 42342->42367 42343 6c8dcafb 38 API calls __DllMainCRTStartup@12 42343->42349 42344->42194 42345 6c8e8f90 __DllMainCRTStartup@12 41 API calls 42345->42349 42346 6c8d4481 36 API calls __DllMainCRTStartup@12 42346->42349 42348->42194 42349->42326 42349->42329 42349->42333 42349->42336 42349->42337 42349->42338 42349->42339 42349->42341 42349->42343 42349->42345 42349->42346 42350 6c8d80d7 44 API calls __DllMainCRTStartup@12 42349->42350 43114 6c8d2e9d 102 API calls __DllMainCRTStartup@12 42349->43114 43115 6c8ddada 82 API calls 2 library calls 42349->43115 43116 6c8dc2be 82 API calls 2 library calls 42349->43116 43117 6c8daaa8 69 API calls __DllMainCRTStartup@12 42349->43117 43118 6c8d4a5d 42349->43118 43121 6c8d4a73 67 API calls __DllMainCRTStartup@12 42349->43121 42350->42349 42351 6c8d80d7 44 API calls __DllMainCRTStartup@12 42351->42367 42352->42194 42354->42194 42355->42194 42356->42194 42358 6c8d6ed9 PathFileExistsA 42358->42367 42359 6c8d44b1 38 API calls __DllMainCRTStartup@12 42359->42367 42360 6c8d6eef DeleteFileA 42360->42367 42361 6c8d6f2e CreateFileA WriteFile CloseHandle 42363 6c8d44b1 __DllMainCRTStartup@12 38 API calls 42361->42363 42362 6c8d15ca 38 API calls __DllMainCRTStartup@12 42362->42367 42363->42367 42364 6c8d6f85 PathFileExistsA 42364->42367 42365 6c8d1584 38 API calls __DllMainCRTStartup@12 42365->42367 42366 6c8d4a2e 38 API calls __DllMainCRTStartup@12 42366->42367 42367->42282 42367->42286 42367->42294 42367->42298 42367->42302 42367->42308 42367->42312 42367->42313 42367->42317 42367->42319 42367->42321 42367->42342 42367->42351 42367->42358 42367->42359 42367->42360 42367->42361 42367->42362 42367->42364 42367->42365 42367->42366 43098 6c8d4481 36 API calls __DllMainCRTStartup@12 42367->43098 43111 6c8d2e9d 102 API calls __DllMainCRTStartup@12 42367->43111 43112 6c8d4a73 67 API calls __DllMainCRTStartup@12 42367->43112 42369 6c8d322a __DllMainCRTStartup@12 42368->42369 43122 6c8da770 42369->43122 42371 6c8d3252 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42371->41974 42373 6c8de777 __DllMainCRTStartup@12 42372->42373 42374 6c8de804 42373->42374 42376 6c8d44b1 __DllMainCRTStartup@12 38 API calls 42373->42376 42378 6c8d4a44 38 API calls __DllMainCRTStartup@12 42373->42378 43131 6c8e79ce 39 API calls 2 library calls 42373->43131 42375 6c8d4149 __DllMainCRTStartup@12 36 API calls 42374->42375 42377 6c8de80c __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42375->42377 42376->42373 42377->41976 42378->42373 42381 6c8dcb0f __DllMainCRTStartup@12 42380->42381 43132 6c8d3142 42381->43132 42383 6c8d501e 42383->41983 42385 6c8d15d8 __DllMainCRTStartup@12 42384->42385 42387 6c8d15fb __DllMainCRTStartup@12 42385->42387 43150 6c8da468 38 API calls __DllMainCRTStartup@12 42385->43150 43146 6c8d353f 42387->43146 42389 6c8d1637 42389->41988 43182 6c8da2c6 42390->43182 42392 6c8d4158 __DllMainCRTStartup@12 42392->41991 42394 6c8dcbc6 CoInitializeSecurity 42393->42394 42398 6c8dcbbe __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42393->42398 42395 6c8dcbed CoUninitialize 42394->42395 42396 6c8dcbfb GetModuleFileNameW 42394->42396 42395->42398 43187 6c8d36c1 42396->43187 42398->41996 42399 6c8dcc2b CoCreateInstance 42400 6c8dcc5c CoUninitialize 42399->42400 42401 6c8dcc82 42399->42401 42402 6c8d4162 __DllMainCRTStartup@12 36 API calls 42400->42402 43191 6c8d3b67 VariantInit 42401->43191 42402->42398 42404 6c8dcc8d 43192 6c8d3b67 VariantInit 42404->43192 42406 6c8dcca4 43193 6c8d3b67 VariantInit 42406->43193 42408 6c8dccbb 43194 6c8d3b67 VariantInit 42408->43194 42410 6c8dccd2 43195 6c8d430a VariantClear 42410->43195 42412 6c8dcd3c 43196 6c8d430a VariantClear 42412->43196 42414 6c8dcd47 43197 6c8d430a VariantClear 42414->43197 42416 6c8dcd52 43198 6c8d430a VariantClear 42416->43198 42418 6c8dcd5d 42419 6c8dcd9d 42418->42419 42420 6c8dcd66 CoUninitialize 42418->42420 43199 6c8d3acf 42419->43199 42423 6c8d4162 __DllMainCRTStartup@12 36 API calls 42420->42423 42423->42398 42424 6c8dcdbb __DllMainCRTStartup@12 43204 6c8d42f9 42424->43204 42427 6c8dcdee CoUninitialize 42431 6c8d4162 __DllMainCRTStartup@12 36 API calls 42427->42431 42428 6c8dce25 42429 6c8d3acf __DllMainCRTStartup@12 17 API calls 42428->42429 42432 6c8dce38 __DllMainCRTStartup@12 42429->42432 42431->42398 42433 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42432->42433 42434 6c8dce5c 42433->42434 42435 6c8dce9d CoUninitialize 42434->42435 42436 6c8dced4 42434->42436 42438 6c8d4162 __DllMainCRTStartup@12 36 API calls 42435->42438 42439 6c8dcf4a 42436->42439 42440 6c8dcf02 CoUninitialize 42436->42440 42438->42398 43207 6c8d3a76 42439->43207 42443 6c8d4162 __DllMainCRTStartup@12 36 API calls 42440->42443 42443->42398 42444 6c8dcf5a __DllMainCRTStartup@12 42445 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42444->42445 42446 6c8dcf84 42445->42446 42447 6c8dcf9e CoUninitialize 42446->42447 42448 6c8dcfe6 42446->42448 42452 6c8d4162 __DllMainCRTStartup@12 36 API calls 42447->42452 42449 6c8dd05c 42448->42449 42450 6c8dd014 CoUninitialize 42448->42450 42455 6c8dd08f CoUninitialize 42449->42455 42456 6c8dd0d7 42449->42456 42454 6c8d4162 __DllMainCRTStartup@12 36 API calls 42450->42454 42452->42398 42454->42398 42460 6c8d4162 __DllMainCRTStartup@12 36 API calls 42455->42460 42457 6c8dd14d 42456->42457 42458 6c8dd105 CoUninitialize 42456->42458 42462 6c8dd1c8 42457->42462 42463 6c8dd180 CoUninitialize 42457->42463 42464 6c8d4162 __DllMainCRTStartup@12 36 API calls 42458->42464 42460->42398 42465 6c8dd1f9 CoUninitialize 42462->42465 42466 6c8dd241 42462->42466 42469 6c8d4162 __DllMainCRTStartup@12 36 API calls 42463->42469 42464->42398 42471 6c8d4162 __DllMainCRTStartup@12 36 API calls 42465->42471 42467 6c8d3a76 __DllMainCRTStartup@12 21 API calls 42466->42467 42472 6c8dd251 __DllMainCRTStartup@12 42467->42472 42469->42398 42471->42398 42473 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42472->42473 42474 6c8dd27b 42473->42474 42475 6c8dd2dd 42474->42475 42476 6c8dd295 CoUninitialize 42474->42476 42477 6c8dd30b CoUninitialize 42475->42477 42478 6c8dd353 42475->42478 42480 6c8d4162 __DllMainCRTStartup@12 36 API calls 42476->42480 42484 6c8d4162 __DllMainCRTStartup@12 36 API calls 42477->42484 42482 6c8dd3dc 42478->42482 42483 6c8dd394 CoUninitialize 42478->42483 42480->42398 42486 6c8dd41f CoUninitialize 42482->42486 42487 6c8dd467 42482->42487 42488 6c8d4162 __DllMainCRTStartup@12 36 API calls 42483->42488 42484->42398 42491 6c8d4162 __DllMainCRTStartup@12 36 API calls 42486->42491 42489 6c8d3acf __DllMainCRTStartup@12 17 API calls 42487->42489 42488->42398 42492 6c8dd477 __DllMainCRTStartup@12 42489->42492 42491->42398 42493 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42492->42493 42494 6c8dd4a1 42493->42494 42495 6c8d3acf __DllMainCRTStartup@12 17 API calls 42494->42495 42496 6c8dd4b1 __DllMainCRTStartup@12 42495->42496 42497 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42496->42497 42498 6c8dd4db 42497->42498 42499 6c8dd4fd CoUninitialize 42498->42499 42500 6c8dd556 42498->42500 42505 6c8d4162 __DllMainCRTStartup@12 36 API calls 42499->42505 42501 6c8dd5dd 42500->42501 42502 6c8dd595 CoUninitialize 42500->42502 42504 6c8d3acf __DllMainCRTStartup@12 17 API calls 42501->42504 42507 6c8d4162 __DllMainCRTStartup@12 36 API calls 42502->42507 42508 6c8dd5ed __DllMainCRTStartup@12 42504->42508 42505->42398 42507->42398 42509 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42508->42509 42510 6c8dd617 42509->42510 42511 6c8dd679 42510->42511 42512 6c8dd620 CoUninitialize 42510->42512 42513 6c8d3acf __DllMainCRTStartup@12 17 API calls 42511->42513 42516 6c8d4162 __DllMainCRTStartup@12 36 API calls 42512->42516 42514 6c8dd689 __DllMainCRTStartup@12 42513->42514 42517 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42514->42517 42516->42398 42518 6c8dd6b3 42517->42518 42519 6c8dd6cd CoUninitialize 42518->42519 42520 6c8dd715 42518->42520 42524 6c8d4162 __DllMainCRTStartup@12 36 API calls 42519->42524 42521 6c8dd78b 42520->42521 42522 6c8dd743 CoUninitialize 42520->42522 42526 6c8dd7cc CoUninitialize 42521->42526 42527 6c8dd814 42521->42527 42528 6c8d4162 __DllMainCRTStartup@12 36 API calls 42522->42528 42524->42398 42530 6c8d4162 __DllMainCRTStartup@12 36 API calls 42526->42530 42531 6c8dd89f __DllMainCRTStartup@12 42527->42531 42532 6c8dd857 CoUninitialize 42527->42532 42528->42398 42530->42398 42533 6c8d3acf __DllMainCRTStartup@12 17 API calls 42531->42533 42535 6c8d4162 __DllMainCRTStartup@12 36 API calls 42532->42535 42536 6c8dd8b6 __DllMainCRTStartup@12 42533->42536 42535->42398 42537 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42536->42537 42538 6c8dd8e0 42537->42538 42539 6c8dd8fa CoUninitialize 42538->42539 42540 6c8dd942 42538->42540 42546 6c8d4162 __DllMainCRTStartup@12 36 API calls 42539->42546 43212 6c8d3b28 SysAllocString 42540->43212 42542 6c8dd959 43214 6c8d3b67 VariantInit 42542->43214 42545 6c8dd970 43215 6c8d3b67 VariantInit 42545->43215 42546->42398 42548 6c8dd987 42549 6c8d3acf __DllMainCRTStartup@12 17 API calls 42548->42549 42550 6c8dd9e2 __DllMainCRTStartup@12 42549->42550 42551 6c8d42f9 __DllMainCRTStartup@12 SysFreeString 42550->42551 42552 6c8dda0c 42551->42552 43216 6c8d430a VariantClear 42552->43216 42554 6c8dda17 43217 6c8d430a VariantClear 42554->43217 42556 6c8dda22 43218 6c8d430a VariantClear 42556->43218 42558 6c8dda2d 42559 6c8dda7b CoUninitialize 42558->42559 42560 6c8dda36 CoUninitialize 42558->42560 43219 6c8d4162 42559->43219 42562 6c8d4162 __DllMainCRTStartup@12 36 API calls 42560->42562 42562->42398 42566 6c8d7edf Process32First 42565->42566 42567 6c8d7eca 42565->42567 42569 6c8d7eff CloseHandle 42566->42569 42570 6c8d7f20 42566->42570 42568 6c8d320c __DllMainCRTStartup@12 38 API calls 42567->42568 42575 6c8d7ed7 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42568->42575 42571 6c8d320c __DllMainCRTStartup@12 38 API calls 42569->42571 42572 6c8d320c __DllMainCRTStartup@12 38 API calls 42570->42572 42573 6c8d7f18 42571->42573 42574 6c8d7f2d 42572->42574 42573->42575 42576 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42574->42576 42577 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42574->42577 42575->42015 42576->42574 42578 6c8d7f49 OpenProcess Process32Next 42577->42578 42578->42574 42579 6c8d7f7f CloseHandle 42578->42579 42580 6c8d7f97 __DllMainCRTStartup@12 42579->42580 42581 6c8d4149 __DllMainCRTStartup@12 36 API calls 42580->42581 42581->42575 42583 6c8deaa0 __DllMainCRTStartup@12 42582->42583 42584 6c8d320c __DllMainCRTStartup@12 38 API calls 42583->42584 42585 6c8deac4 GetSystemDirectoryW 42584->42585 42586 6c8deb0c GetSystemInfo GetComputerNameW 42585->42586 42587 6c8deada 42585->42587 42588 6c8deb3b 42586->42588 42589 6c8deb50 42586->42589 42590 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42587->42590 42591 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42588->42591 42592 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42589->42592 42593 6c8deaea __DllMainCRTStartup@12 42590->42593 42594 6c8deb4b 42591->42594 42605 6c8deb62 __DllMainCRTStartup@12 42592->42605 42596 6c8d4149 __DllMainCRTStartup@12 36 API calls 42593->42596 42595 6c8debf9 RegOpenKeyExW 42594->42595 42597 6c8dec4d 42595->42597 42598 6c8dec1b 42595->42598 42604 6c8deb04 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42596->42604 43239 6c8e05f9 42597->43239 42600 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42598->42600 42602 6c8dec2b __DllMainCRTStartup@12 42600->42602 42601 6c8dec6b 42603 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42601->42603 42606 6c8d4149 __DllMainCRTStartup@12 36 API calls 42602->42606 42613 6c8dec80 __DllMainCRTStartup@12 42603->42613 42604->42006 42607 6c8de818 __DllMainCRTStartup@12 38 API calls 42605->42607 42606->42604 42608 6c8deba1 42607->42608 42609 6c8d170a __DllMainCRTStartup@12 38 API calls 42608->42609 42610 6c8debb9 42609->42610 42611 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42610->42611 42612 6c8debc8 42611->42612 42614 6c8d4149 __DllMainCRTStartup@12 36 API calls 42612->42614 43245 6c8de818 42613->43245 42617 6c8debd3 42614->42617 42616 6c8decbf 42618 6c8d170a __DllMainCRTStartup@12 38 API calls 42616->42618 42619 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42617->42619 42620 6c8decd7 42618->42620 42621 6c8debe3 42619->42621 42622 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42620->42622 42623 6c8d4149 __DllMainCRTStartup@12 36 API calls 42621->42623 42624 6c8dece6 42622->42624 42625 6c8debee 42623->42625 42626 6c8d4149 __DllMainCRTStartup@12 36 API calls 42624->42626 42627 6c8d4162 __DllMainCRTStartup@12 36 API calls 42625->42627 42628 6c8decf1 42626->42628 42627->42595 42629 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42628->42629 42630 6c8ded01 __fread_nolock 42629->42630 42631 6c8ded14 GetVersionExW GetModuleHandleA LoadStringW 42630->42631 42632 6c8dee08 42631->42632 42633 6c8ded53 wsprintfA 42631->42633 42634 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42632->42634 42635 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42633->42635 42636 6c8dee26 42634->42636 42637 6c8ded7b 42635->42637 42638 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42636->42638 42639 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42637->42639 42646 6c8dee3b __DllMainCRTStartup@12 42638->42646 42640 6c8ded8a 42639->42640 42641 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42640->42641 42642 6c8ded9a wsprintfA 42641->42642 42643 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42642->42643 42644 6c8dedc1 42643->42644 42645 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42644->42645 42647 6c8dedd1 wsprintfA 42645->42647 42648 6c8de818 __DllMainCRTStartup@12 38 API calls 42646->42648 42649 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42647->42649 42650 6c8dee7a 42648->42650 42651 6c8dedf8 42649->42651 42652 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42650->42652 42653 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42651->42653 42654 6c8dee8a 42652->42654 42653->42632 42655 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42654->42655 42656 6c8dee9c 42655->42656 42657 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42656->42657 42658 6c8deeac 42657->42658 42659 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42658->42659 42660 6c8deeca 42659->42660 42661 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42660->42661 42662 6c8deedf __DllMainCRTStartup@12 42661->42662 42663 6c8de818 __DllMainCRTStartup@12 38 API calls 42662->42663 42664 6c8def1e 42663->42664 42665 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42664->42665 42666 6c8def2e 42665->42666 42667 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42666->42667 42668 6c8def40 42667->42668 42669 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42668->42669 42670 6c8def50 42669->42670 42671 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42670->42671 42672 6c8def6e 42671->42672 42673 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42672->42673 42674 6c8def83 __DllMainCRTStartup@12 42673->42674 42675 6c8de818 __DllMainCRTStartup@12 38 API calls 42674->42675 42676 6c8defc2 42675->42676 42677 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42676->42677 42678 6c8defd2 42677->42678 42679 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42678->42679 42680 6c8defe4 42679->42680 42681 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42680->42681 42682 6c8deff4 42681->42682 42683 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42682->42683 42684 6c8df012 42683->42684 42685 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42684->42685 42686 6c8df027 __DllMainCRTStartup@12 42685->42686 42687 6c8de818 __DllMainCRTStartup@12 38 API calls 42686->42687 42688 6c8df066 42687->42688 42689 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42688->42689 42690 6c8df076 42689->42690 42691 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42690->42691 42692 6c8df088 42691->42692 42693 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42692->42693 42694 6c8df098 42693->42694 43249 6c8e056b 42694->43249 42696 6c8df0b1 43255 6c8e0479 42696->43255 42698 6c8df0ca 42699 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42698->42699 42700 6c8df0df __DllMainCRTStartup@12 42699->42700 42701 6c8de818 __DllMainCRTStartup@12 38 API calls 42700->42701 42702 6c8df11e 42701->42702 42703 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42702->42703 42704 6c8df12e 42703->42704 42705 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42704->42705 42706 6c8df140 42705->42706 42707 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42706->42707 42708 6c8df150 RegCloseKey 42707->42708 43262 6c8e0834 42708->43262 42711 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42712 6c8df1b1 __DllMainCRTStartup@12 42711->42712 42713 6c8de818 __DllMainCRTStartup@12 38 API calls 42712->42713 42714 6c8df1f0 42713->42714 42715 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42714->42715 42716 6c8df200 42715->42716 42717 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42716->42717 42718 6c8df212 42717->42718 42719 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42718->42719 42720 6c8df222 GetPrivateProfileStringW 42719->42720 42721 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42720->42721 42722 6c8df25c __DllMainCRTStartup@12 42721->42722 42723 6c8de818 __DllMainCRTStartup@12 38 API calls 42722->42723 42724 6c8df29b 42723->42724 42725 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42724->42725 42726 6c8df2ab 42725->42726 42727 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42726->42727 42728 6c8df2bd 42727->42728 42729 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42728->42729 42731 6c8df2cd 42729->42731 42730 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42732 6c8df336 __DllMainCRTStartup@12 42730->42732 42731->42730 42733 6c8de818 __DllMainCRTStartup@12 38 API calls 42732->42733 42734 6c8df375 42733->42734 42735 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42734->42735 42736 6c8df385 42735->42736 42737 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42736->42737 42738 6c8df397 42737->42738 42739 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42738->42739 42740 6c8df3a7 GetModuleHandleA LoadStringW 42739->42740 42741 6c8df3c8 42740->42741 42742 6c8df3e0 42740->42742 42741->42742 43269 6c8e1d63 5 API calls __DllMainCRTStartup@12 42741->43269 42743 6c8e0834 __DllMainCRTStartup@12 40 API calls 42742->42743 42745 6c8df410 42743->42745 42746 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42745->42746 42747 6c8df425 __DllMainCRTStartup@12 42746->42747 42748 6c8de818 __DllMainCRTStartup@12 38 API calls 42747->42748 42749 6c8df464 42748->42749 42750 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42749->42750 42751 6c8df474 42750->42751 42752 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42751->42752 42753 6c8df486 42752->42753 42754 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42753->42754 42755 6c8df496 42754->42755 42756 6c8df4be 42755->42756 42757 6c8df626 42755->42757 42759 6c8e0834 __DllMainCRTStartup@12 40 API calls 42756->42759 42758 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42757->42758 42760 6c8df646 42758->42760 42761 6c8df4d5 42759->42761 42762 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42760->42762 42763 6c8e0834 __DllMainCRTStartup@12 40 API calls 42761->42763 42769 6c8df65b __DllMainCRTStartup@12 42762->42769 42764 6c8df4f1 42763->42764 42765 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42764->42765 42766 6c8df52a 42765->42766 42767 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42766->42767 42768 6c8df595 42767->42768 42770 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42768->42770 42771 6c8de818 __DllMainCRTStartup@12 38 API calls 42769->42771 42778 6c8df5aa __DllMainCRTStartup@12 42770->42778 42772 6c8df69a 42771->42772 42773 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42772->42773 42774 6c8df6aa 42773->42774 42775 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42774->42775 42776 6c8df6bc 42775->42776 42777 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42776->42777 42779 6c8df6cc 42777->42779 42780 6c8de818 __DllMainCRTStartup@12 38 API calls 42778->42780 42781 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42779->42781 42782 6c8df5e9 42780->42782 42783 6c8df6ec 42781->42783 42784 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42782->42784 42785 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42783->42785 42786 6c8df5fb 42784->42786 42793 6c8df701 __DllMainCRTStartup@12 42785->42793 42787 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42786->42787 42788 6c8df60b 42787->42788 42789 6c8d4149 __DllMainCRTStartup@12 36 API calls 42788->42789 42790 6c8df616 42789->42790 42791 6c8d4162 __DllMainCRTStartup@12 36 API calls 42790->42791 42792 6c8df621 42791->42792 42792->42006 42794 6c8de818 __DllMainCRTStartup@12 38 API calls 42793->42794 42795 6c8df740 42794->42795 42796 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42795->42796 42797 6c8df750 42796->42797 42798 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42797->42798 42799 6c8df762 42798->42799 42800 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42799->42800 42801 6c8df772 42800->42801 42802 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42801->42802 42803 6c8df792 42802->42803 42804 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42803->42804 42805 6c8df7a7 __DllMainCRTStartup@12 42804->42805 42806 6c8de818 __DllMainCRTStartup@12 38 API calls 42805->42806 42807 6c8df7e6 42806->42807 42808 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42807->42808 42809 6c8df7f6 42808->42809 42810 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42809->42810 42811 6c8df808 42810->42811 42812 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42811->42812 42813 6c8df818 42812->42813 42814 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42813->42814 42815 6c8df838 42814->42815 42816 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42815->42816 42817 6c8df84d __DllMainCRTStartup@12 42816->42817 42818 6c8de818 __DllMainCRTStartup@12 38 API calls 42817->42818 42819 6c8df88c 42818->42819 42820 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42819->42820 42821 6c8df89c 42820->42821 42822 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42821->42822 42823 6c8df8ae 42822->42823 42824 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42823->42824 42825 6c8df8be GetLocaleInfoW 42824->42825 42826 6c8df8df 42825->42826 42827 6c8df9f7 42825->42827 42828 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42826->42828 42829 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42827->42829 42833 6c8df901 __DllMainCRTStartup@12 42828->42833 42836 6c8dfa17 __DllMainCRTStartup@12 42829->42836 42830 6c8dfb50 GetTimeZoneInformation RegOpenKeyExW 42831 6c8dfd08 GlobalMemoryStatus 42830->42831 42832 6c8dfb83 RegEnumKeyExW 42830->42832 43265 6c8e03e4 42831->43265 42840 6c8dfbdd 42832->42840 42841 6c8dfcfc RegCloseKey 42832->42841 42833->42827 42837 6c8df95e 42833->42837 42838 6c8df92b SHLoadIndirectString 42833->42838 42836->42830 42842 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42836->42842 42843 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42837->42843 42838->42837 42839 6c8dfd27 42844 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42839->42844 42845 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42840->42845 42841->42831 42848 6c8dfa5a __DllMainCRTStartup@12 42842->42848 42856 6c8df970 __DllMainCRTStartup@12 42843->42856 42854 6c8dfd3b __DllMainCRTStartup@12 42844->42854 42847 6c8dfc00 __DllMainCRTStartup@12 42845->42847 42846 6c8dfcf7 42846->42846 42847->42846 42849 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42847->42849 42848->42830 42850 6c8dfa84 SHLoadIndirectString 42848->42850 42851 6c8dfab7 42848->42851 42852 6c8dfc43 42849->42852 42850->42851 42853 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42851->42853 42855 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42852->42855 42869 6c8dfac9 __DllMainCRTStartup@12 42853->42869 42857 6c8de818 __DllMainCRTStartup@12 38 API calls 42854->42857 42873 6c8dfc58 __DllMainCRTStartup@12 42855->42873 42858 6c8de818 __DllMainCRTStartup@12 38 API calls 42856->42858 42860 6c8dfd7a 42857->42860 42859 6c8df9af 42858->42859 42861 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42859->42861 42862 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42860->42862 42863 6c8df9bf 42861->42863 42864 6c8dfd8a 42862->42864 42865 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42863->42865 42866 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42864->42866 42867 6c8df9d1 42865->42867 42868 6c8dfd9c 42866->42868 42871 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42867->42871 42872 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42868->42872 42870 6c8de818 __DllMainCRTStartup@12 38 API calls 42869->42870 42874 6c8dfb08 42870->42874 42875 6c8df9e1 42871->42875 42876 6c8dfdac 42872->42876 42877 6c8de818 __DllMainCRTStartup@12 38 API calls 42873->42877 42878 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42874->42878 42879 6c8d4149 __DllMainCRTStartup@12 36 API calls 42875->42879 42880 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42876->42880 42881 6c8dfc97 42877->42881 42883 6c8dfb18 42878->42883 42884 6c8df9ec 42879->42884 42885 6c8dfdbe 42880->42885 42882 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42881->42882 42887 6c8dfca7 42882->42887 42888 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42883->42888 42889 6c8d4162 __DllMainCRTStartup@12 36 API calls 42884->42889 42886 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42885->42886 42902 6c8dfdd2 __DllMainCRTStartup@12 42886->42902 42890 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42887->42890 42891 6c8dfb2a 42888->42891 42889->42827 42892 6c8dfcb9 42890->42892 42893 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42891->42893 42894 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42892->42894 42895 6c8dfb3a 42893->42895 42896 6c8dfcc9 42894->42896 42897 6c8d4149 __DllMainCRTStartup@12 36 API calls 42895->42897 42898 6c8d4149 __DllMainCRTStartup@12 36 API calls 42896->42898 42899 6c8dfb45 42897->42899 42900 6c8dfcd4 42898->42900 42901 6c8d4162 __DllMainCRTStartup@12 36 API calls 42899->42901 42903 6c8d4162 __DllMainCRTStartup@12 36 API calls 42900->42903 42901->42830 42904 6c8de818 __DllMainCRTStartup@12 38 API calls 42902->42904 42905 6c8dfcdf 42903->42905 42906 6c8dfe11 42904->42906 42905->42841 42905->42846 42907 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42906->42907 42908 6c8dfe21 42907->42908 42909 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42908->42909 42910 6c8dfe33 42909->42910 42911 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42910->42911 42912 6c8dfe43 42911->42912 42913 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42912->42913 42914 6c8dfe55 42913->42914 42915 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42914->42915 42916 6c8dfe69 __DllMainCRTStartup@12 42915->42916 42917 6c8de818 __DllMainCRTStartup@12 38 API calls 42916->42917 42918 6c8dfea8 42917->42918 42919 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42918->42919 42920 6c8dfeb8 42919->42920 42921 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42920->42921 42922 6c8dfeca 42921->42922 42923 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42922->42923 42924 6c8dfeda 42923->42924 42925 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42924->42925 42926 6c8dfeec 42925->42926 42927 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42926->42927 42928 6c8dff00 __DllMainCRTStartup@12 42927->42928 42929 6c8de818 __DllMainCRTStartup@12 38 API calls 42928->42929 42930 6c8dff3f 42929->42930 42931 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42930->42931 42932 6c8dff4f 42931->42932 42933 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42932->42933 42934 6c8dff61 42933->42934 42935 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42934->42935 42936 6c8dff71 42935->42936 42937 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42936->42937 42938 6c8dff8a 42937->42938 42939 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42938->42939 42940 6c8dff9e __DllMainCRTStartup@12 42939->42940 42941 6c8de818 __DllMainCRTStartup@12 38 API calls 42940->42941 42942 6c8dffdd 42941->42942 42943 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42942->42943 42944 6c8dffed 42943->42944 42945 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42944->42945 42946 6c8dffff 42945->42946 42947 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42946->42947 42948 6c8e000f 42947->42948 42949 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42948->42949 42954 6c8e002f 42949->42954 42950 6c8e0143 NetGetJoinInformation 42951 6c8e0219 __DllMainCRTStartup@12 42950->42951 42952 6c8e0160 42950->42952 42958 6c8d4149 __DllMainCRTStartup@12 36 API calls 42951->42958 42956 6c8e020e NetApiBufferFree 42952->42956 42957 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42952->42957 42953 6c8e008f 42955 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42953->42955 42954->42950 42954->42953 43270 6c8e1d63 5 API calls __DllMainCRTStartup@12 42954->43270 42967 6c8e00bc __DllMainCRTStartup@12 42955->42967 42956->42951 42965 6c8e0187 __DllMainCRTStartup@12 42957->42965 42959 6c8e0233 42958->42959 42961 6c8d4162 __DllMainCRTStartup@12 36 API calls 42959->42961 42962 6c8e023e 42961->42962 42963 6c8d4149 __DllMainCRTStartup@12 36 API calls 42962->42963 42964 6c8e0249 42963->42964 42966 6c8d4162 __DllMainCRTStartup@12 36 API calls 42964->42966 42968 6c8de818 __DllMainCRTStartup@12 38 API calls 42965->42968 42969 6c8e0254 42966->42969 42970 6c8de818 __DllMainCRTStartup@12 38 API calls 42967->42970 42971 6c8e01c6 42968->42971 42972 6c8d4149 __DllMainCRTStartup@12 36 API calls 42969->42972 42973 6c8e00fb 42970->42973 42974 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42971->42974 42975 6c8e025f 42972->42975 42976 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42973->42976 42977 6c8e01d6 42974->42977 42978 6c8d4162 __DllMainCRTStartup@12 36 API calls 42975->42978 42979 6c8e010b 42976->42979 42980 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42977->42980 42981 6c8e026a 42978->42981 42982 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42979->42982 42984 6c8e01e8 42980->42984 42985 6c8d4149 __DllMainCRTStartup@12 36 API calls 42981->42985 42983 6c8e011d 42982->42983 42986 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42983->42986 42987 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42984->42987 42988 6c8e0275 42985->42988 42989 6c8e012d 42986->42989 42990 6c8e01f8 42987->42990 42991 6c8d4162 __DllMainCRTStartup@12 36 API calls 42988->42991 42993 6c8d4149 __DllMainCRTStartup@12 36 API calls 42989->42993 42994 6c8d4149 __DllMainCRTStartup@12 36 API calls 42990->42994 42992 6c8e0280 42991->42992 42995 6c8d4149 __DllMainCRTStartup@12 36 API calls 42992->42995 42996 6c8e0138 42993->42996 42997 6c8e0203 42994->42997 42998 6c8e028b 42995->42998 42999 6c8d4162 __DllMainCRTStartup@12 36 API calls 42996->42999 43000 6c8d4162 __DllMainCRTStartup@12 36 API calls 42997->43000 43001 6c8d4162 __DllMainCRTStartup@12 36 API calls 42998->43001 42999->42950 43000->42956 43002 6c8e0296 43001->43002 43003 6c8d4149 __DllMainCRTStartup@12 36 API calls 43002->43003 43004 6c8e02a1 43003->43004 43005 6c8d4162 __DllMainCRTStartup@12 36 API calls 43004->43005 43006 6c8e02ac 43005->43006 43007 6c8d4149 __DllMainCRTStartup@12 36 API calls 43006->43007 43008 6c8e02b7 43007->43008 43009 6c8d4162 __DllMainCRTStartup@12 36 API calls 43008->43009 43010 6c8e02c2 43009->43010 43011 6c8d4149 __DllMainCRTStartup@12 36 API calls 43010->43011 43012 6c8e02cd 43011->43012 43013 6c8d4162 __DllMainCRTStartup@12 36 API calls 43012->43013 43014 6c8e02d8 43013->43014 43015 6c8d4149 __DllMainCRTStartup@12 36 API calls 43014->43015 43016 6c8e02e3 43015->43016 43017 6c8d4162 __DllMainCRTStartup@12 36 API calls 43016->43017 43018 6c8e02ee 43017->43018 43019 6c8d4149 __DllMainCRTStartup@12 36 API calls 43018->43019 43020 6c8e02f9 43019->43020 43021 6c8d4162 __DllMainCRTStartup@12 36 API calls 43020->43021 43022 6c8e0304 43021->43022 43023 6c8d4149 __DllMainCRTStartup@12 36 API calls 43022->43023 43024 6c8e030f 43023->43024 43025 6c8d4162 __DllMainCRTStartup@12 36 API calls 43024->43025 43026 6c8e031a 43025->43026 43027 6c8d4149 __DllMainCRTStartup@12 36 API calls 43026->43027 43028 6c8e0325 43027->43028 43029 6c8d4162 __DllMainCRTStartup@12 36 API calls 43028->43029 43030 6c8e0330 43029->43030 43031 6c8d4149 __DllMainCRTStartup@12 36 API calls 43030->43031 43032 6c8e033b 43031->43032 43033 6c8d4162 __DllMainCRTStartup@12 36 API calls 43032->43033 43034 6c8e0346 43033->43034 43035 6c8d4149 __DllMainCRTStartup@12 36 API calls 43034->43035 43036 6c8e0351 43035->43036 43037 6c8d4162 __DllMainCRTStartup@12 36 API calls 43036->43037 43038 6c8e035c 43037->43038 43039 6c8d4149 __DllMainCRTStartup@12 36 API calls 43038->43039 43040 6c8e0367 43039->43040 43041 6c8d4162 __DllMainCRTStartup@12 36 API calls 43040->43041 43042 6c8e0372 43041->43042 43043 6c8d4149 __DllMainCRTStartup@12 36 API calls 43042->43043 43044 6c8e037d 43043->43044 43061 6c8d30f1 __DllMainCRTStartup@12 43060->43061 43460 6c8d8640 43061->43460 43063 6c8d3129 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43063->42014 43464 6c8da515 43064->43464 43068 6c8d16af __DllMainCRTStartup@12 43067->43068 43069 6c8d16da __DllMainCRTStartup@12 43068->43069 43482 6c8da468 38 API calls __DllMainCRTStartup@12 43068->43482 43071 6c8d353f __DllMainCRTStartup@12 38 API calls 43069->43071 43072 6c8d1705 43071->43072 43072->42027 43074 6c8e8f9e 43073->43074 43075 6c8e8fa8 43073->43075 43076 6c8f5b29 __DllMainCRTStartup@12 16 API calls 43074->43076 43483 6c8e8ed9 43075->43483 43079 6c8e8fa5 43076->43079 43079->42058 43083 6c8e8fd6 43084 6c8e8ff4 43083->43084 43085 6c8f26df ___free_lconv_mon 14 API calls 43083->43085 43084->42058 43085->43084 43087 6c8da770 __DllMainCRTStartup@12 38 API calls 43086->43087 43088 6c8d44c3 43087->43088 43088->42194 43089->42042 43090->42045 43091->42194 43092->42267 43093->42272 43094->42285 43095->42289 43096->42288 43097->42297 43098->42367 43099->42194 43100->42194 43102 6c8d1718 __DllMainCRTStartup@12 43101->43102 43103 6c8d1743 __DllMainCRTStartup@12 43102->43103 43567 6c8da468 38 API calls __DllMainCRTStartup@12 43102->43567 43105 6c8d353f __DllMainCRTStartup@12 38 API calls 43103->43105 43106 6c8d176e 43105->43106 43106->42194 43107->42194 43108->42194 43109->42194 43110->42194 43111->42367 43112->42367 43113->42194 43114->42349 43115->42349 43116->42349 43117->42349 43568 6c8da5be 43118->43568 43121->42349 43123 6c8da77f __DllMainCRTStartup@12 43122->43123 43126 6c8da797 43123->43126 43125 6c8da793 43125->42371 43127 6c8da7eb 43126->43127 43129 6c8da7ab __DllMainCRTStartup@12 43126->43129 43130 6c8d1e78 38 API calls 2 library calls 43127->43130 43129->43125 43130->43129 43131->42373 43133 6c8d3163 __DllMainCRTStartup@12 43132->43133 43136 6c8da6c4 43133->43136 43135 6c8d3191 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43135->42383 43141 6c8d85d0 43136->43141 43138 6c8da6d6 __DllMainCRTStartup@12 43139 6c8da797 __DllMainCRTStartup@12 38 API calls 43138->43139 43140 6c8da6fe 43139->43140 43140->43135 43142 6c8d85e7 43141->43142 43143 6c8d85e2 43141->43143 43142->43138 43145 6c8da486 38 API calls __DllMainCRTStartup@12 43143->43145 43145->43142 43147 6c8d355a __DllMainCRTStartup@12 43146->43147 43148 6c8d3610 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43147->43148 43151 6c8da4b0 43147->43151 43148->42389 43150->42387 43152 6c8da4bf __DllMainCRTStartup@12 43151->43152 43155 6c8d1778 43152->43155 43156 6c8d178f 43155->43156 43157 6c8d1784 43155->43157 43159 6c8d178c 43156->43159 43169 6c8d4473 43156->43169 43161 6c8d17a4 43157->43161 43159->43148 43162 6c8d17bb 43161->43162 43163 6c8d17c0 43161->43163 43172 6c8da16a RaiseException _com_raise_error std::_Facet_Register 43162->43172 43165 6c8d4473 __DllMainCRTStartup@12 16 API calls 43163->43165 43166 6c8d17c8 43165->43166 43168 6c8d17e1 43166->43168 43173 6c8e693f 36 API calls 2 library calls 43166->43173 43168->43159 43174 6c8e1bf5 43169->43174 43172->43163 43176 6c8e1bfa 43174->43176 43175 6c8e6b06 _Yarn 15 API calls 43175->43176 43176->43175 43177 6c8d447e 43176->43177 43178 6c8ef04b std::_Facet_Register EnterCriticalSection LeaveCriticalSection 43176->43178 43179 6c8e1c16 std::_Facet_Register 43176->43179 43177->43159 43178->43176 43180 6c8e497c _com_raise_error RaiseException 43179->43180 43181 6c8e262c 43180->43181 43184 6c8da2d7 __DllMainCRTStartup@12 43182->43184 43183 6c8da315 __DllMainCRTStartup@12 43183->42392 43184->43183 43186 6c8dab1f 36 API calls __DllMainCRTStartup@12 43184->43186 43186->43183 43188 6c8d36df __DllMainCRTStartup@12 43187->43188 43222 6c8da805 43188->43222 43190 6c8d3707 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43190->42399 43191->42404 43192->42406 43193->42408 43194->42410 43195->42412 43196->42414 43197->42416 43198->42418 43200 6c8d4473 __DllMainCRTStartup@12 16 API calls 43199->43200 43201 6c8d3adf __DllMainCRTStartup@12 43200->43201 43203 6c8d3afe _com_issue_error 43201->43203 43231 6c8d38b3 SysAllocString _com_issue_error 43201->43231 43203->42424 43232 6c8d8ef2 43204->43232 43208 6c8d4473 __DllMainCRTStartup@12 16 API calls 43207->43208 43209 6c8d3a86 __DllMainCRTStartup@12 43208->43209 43211 6c8d3aa5 _com_issue_error 43209->43211 43237 6c8d3887 20 API calls __DllMainCRTStartup@12 43209->43237 43211->42444 43213 6c8d3b50 _com_issue_error 43212->43213 43213->42542 43214->42545 43215->42548 43216->42554 43217->42556 43218->42558 43238 6c8da341 36 API calls __DllMainCRTStartup@12 43219->43238 43221 6c8d4171 __DllMainCRTStartup@12 43221->42398 43223 6c8da814 __DllMainCRTStartup@12 43222->43223 43226 6c8da82c 43223->43226 43225 6c8da828 43225->43190 43227 6c8da885 43226->43227 43229 6c8da840 __DllMainCRTStartup@12 43226->43229 43230 6c8d1dae 38 API calls 2 library calls 43227->43230 43229->43225 43230->43229 43231->43203 43233 6c8d4308 43232->43233 43234 6c8d8f01 43232->43234 43233->42427 43233->42428 43236 6c8d8097 SysFreeString __DllMainCRTStartup@12 43234->43236 43236->43233 43237->43211 43238->43221 43240 6c8e063d RegQueryValueExW 43239->43240 43241 6c8e061b RegOpenKeyExW 43239->43241 43243 6c8e065a __DllMainCRTStartup@12 43240->43243 43241->43240 43242 6c8e0636 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43241->43242 43242->42601 43243->43242 43244 6c8e0686 RegCloseKey 43243->43244 43244->43242 43246 6c8de839 __DllMainCRTStartup@12 43245->43246 43271 6c8de8f5 43246->43271 43248 6c8de886 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43248->42616 43250 6c8e05ae RegQueryValueExW 43249->43250 43251 6c8e058f RegOpenKeyExW 43249->43251 43253 6c8e05cb 43250->43253 43251->43250 43252 6c8e05aa __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43251->43252 43252->42696 43253->43252 43254 6c8e05e1 RegCloseKey 43253->43254 43254->43252 43297 6c8e08b3 43255->43297 43258 6c8e0510 43259 6c8e0834 __DllMainCRTStartup@12 40 API calls 43258->43259 43260 6c8e0530 GetTimeFormatW 43259->43260 43261 6c8e0569 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43260->43261 43261->42698 43420 6c8e08c1 43262->43420 43448 6c8ed9a3 43265->43448 43268 6c8e0450 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43268->42839 43269->42742 43270->42953 43272 6c8de909 __DllMainCRTStartup@12 43271->43272 43277 6c8e07ba 43272->43277 43276 6c8de936 43276->43248 43278 6c8de920 43277->43278 43279 6c8e07d0 43277->43279 43284 6c8de89f 43278->43284 43279->43278 43280 6c8e07e8 43279->43280 43282 6c8e0813 __DllMainCRTStartup@12 43279->43282 43290 6c8de93a 38 API calls 2 library calls 43280->43290 43282->43278 43291 6c8e06e8 36 API calls __DllMainCRTStartup@12 43282->43291 43285 6c8de8ba 43284->43285 43286 6c8de8db 43285->43286 43296 6c8dc0d6 38 API calls __DllMainCRTStartup@12 43285->43296 43292 6c8dea5a 43286->43292 43289 6c8de8e7 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43289->43276 43290->43278 43291->43278 43293 6c8dea69 43292->43293 43294 6c8dea73 43292->43294 43295 6c8da2c6 __DllMainCRTStartup@12 36 API calls 43293->43295 43294->43289 43295->43294 43296->43285 43300 6c8edc9a 43297->43300 43305 6c8f6cbd 43300->43305 43303 6c8e0492 GetDateFormatW 43303->43258 43349 6c8f042d GetLastError 43305->43349 43307 6c8f6cc5 43309 6c8edca5 43307->43309 43313 6c8f6ce3 43307->43313 43372 6c8f2719 43307->43372 43309->43303 43314 6c8eda0b 43309->43314 43312 6c8f26df ___free_lconv_mon 14 API calls 43312->43313 43313->43309 43379 6c8e6bae 14 API calls __dosmaperr 43313->43379 43315 6c8eda2e 43314->43315 43316 6c8eda1b 43314->43316 43317 6c8eda40 43315->43317 43328 6c8eda53 43315->43328 43399 6c8e6bae 14 API calls __dosmaperr 43316->43399 43401 6c8e6bae 14 API calls __dosmaperr 43317->43401 43319 6c8eda20 43400 6c8e692f 36 API calls __wsopen_s 43319->43400 43322 6c8eda45 43402 6c8e692f 36 API calls __wsopen_s 43322->43402 43323 6c8eda73 43403 6c8e6bae 14 API calls __dosmaperr 43323->43403 43324 6c8eda84 43380 6c8f75c2 43324->43380 43328->43323 43328->43324 43331 6c8eda9b 43332 6c8edc8f 43331->43332 43404 6c8f6a28 43331->43404 43395 6c8e695c IsProcessorFeaturePresent 43332->43395 43335 6c8edc99 43337 6c8f6cbd __DllMainCRTStartup@12 15 API calls 43335->43337 43336 6c8edaad 43336->43332 43411 6c8f6a54 43336->43411 43339 6c8edca5 43337->43339 43342 6c8edcb4 43339->43342 43343 6c8eda0b __DllMainCRTStartup@12 42 API calls 43339->43343 43340 6c8edabf 43340->43332 43341 6c8edac8 43340->43341 43344 6c8edb4d __DllMainCRTStartup@12 43341->43344 43345 6c8edae9 __DllMainCRTStartup@12 43341->43345 43342->43303 43343->43342 43348 6c8eda2a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 __allrem 43344->43348 43419 6c8f761f 36 API calls 3 library calls 43344->43419 43345->43348 43418 6c8f761f 36 API calls 3 library calls 43345->43418 43348->43303 43350 6c8f0449 43349->43350 43351 6c8f0443 43349->43351 43353 6c8f2e79 __Getctype 6 API calls 43350->43353 43355 6c8f044d SetLastError 43350->43355 43352 6c8f2e3a __Getctype 6 API calls 43351->43352 43352->43350 43354 6c8f0465 43353->43354 43354->43355 43357 6c8f2682 __Getctype 12 API calls 43354->43357 43355->43307 43358 6c8f047a 43357->43358 43359 6c8f0493 43358->43359 43360 6c8f0482 43358->43360 43361 6c8f2e79 __Getctype 6 API calls 43359->43361 43362 6c8f2e79 __Getctype 6 API calls 43360->43362 43363 6c8f049f 43361->43363 43369 6c8f0490 43362->43369 43364 6c8f04ba 43363->43364 43365 6c8f04a3 43363->43365 43368 6c8f00de __Getctype 12 API calls 43364->43368 43366 6c8f2e79 __Getctype 6 API calls 43365->43366 43366->43369 43367 6c8f26df ___free_lconv_mon 12 API calls 43367->43355 43370 6c8f04c5 43368->43370 43369->43367 43371 6c8f26df ___free_lconv_mon 12 API calls 43370->43371 43371->43355 43373 6c8f2757 43372->43373 43374 6c8f2727 __Getctype 43372->43374 43375 6c8e6bae __dosmaperr 14 API calls 43373->43375 43374->43373 43376 6c8f2742 RtlAllocateHeap 43374->43376 43378 6c8ef04b std::_Facet_Register EnterCriticalSection LeaveCriticalSection 43374->43378 43377 6c8f2755 43375->43377 43376->43374 43376->43377 43377->43312 43378->43374 43379->43309 43381 6c8f75ce __FrameHandler3::FrameUnwindToState 43380->43381 43382 6c8eda89 43381->43382 43383 6c8edd5c std::_Lockit::_Lockit EnterCriticalSection 43381->43383 43388 6c8f69fc 43382->43388 43384 6c8f75df 43383->43384 43385 6c8f75f3 43384->43385 43386 6c8f750a __DllMainCRTStartup@12 42 API calls 43384->43386 43387 6c8f7616 __DllMainCRTStartup@12 LeaveCriticalSection 43385->43387 43386->43385 43387->43382 43389 6c8f6a1d 43388->43389 43390 6c8f6a08 43388->43390 43389->43331 43391 6c8e6bae __dosmaperr 14 API calls 43390->43391 43392 6c8f6a0d 43391->43392 43393 6c8e692f __wsopen_s 36 API calls 43392->43393 43394 6c8f6a18 43393->43394 43394->43331 43396 6c8e6968 43395->43396 43397 6c8e6733 __FrameHandler3::FrameUnwindToState IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 43396->43397 43398 6c8e697d GetCurrentProcess TerminateProcess 43397->43398 43398->43335 43399->43319 43400->43348 43401->43322 43402->43348 43403->43348 43405 6c8f6a49 43404->43405 43406 6c8f6a34 43404->43406 43405->43336 43407 6c8e6bae __dosmaperr 14 API calls 43406->43407 43408 6c8f6a39 43407->43408 43409 6c8e692f __wsopen_s 36 API calls 43408->43409 43410 6c8f6a44 43409->43410 43410->43336 43412 6c8f6a75 43411->43412 43413 6c8f6a60 43411->43413 43412->43340 43414 6c8e6bae __dosmaperr 14 API calls 43413->43414 43415 6c8f6a65 43414->43415 43416 6c8e692f __wsopen_s 36 API calls 43415->43416 43417 6c8f6a70 43416->43417 43417->43340 43418->43348 43419->43348 43423 6c8e0873 43420->43423 43424 6c8e088c vswprintf 43423->43424 43427 6c8ed0a7 43424->43427 43428 6c8ed0bb __fread_nolock 43427->43428 43433 6c8e964f 43428->43433 43430 6c8ed0d6 43442 6c8e666b 43430->43442 43434 6c8e969e 43433->43434 43435 6c8e967b 43433->43435 43434->43435 43437 6c8e96a6 vswprintf 43434->43437 43436 6c8e68b2 __wsopen_s 24 API calls 43435->43436 43438 6c8e9693 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43436->43438 43439 6c8ebab0 vswprintf 40 API calls 43437->43439 43438->43430 43440 6c8e9727 43439->43440 43441 6c8eb25e __fread_nolock 14 API calls 43440->43441 43441->43438 43443 6c8e6677 43442->43443 43444 6c8e668e 43443->43444 43445 6c8e6716 __fread_nolock 36 API calls 43443->43445 43446 6c8df174 GetPrivateProfileStringW 43444->43446 43447 6c8e6716 __fread_nolock 36 API calls 43444->43447 43445->43444 43446->42711 43447->43446 43449 6c8ed9af 43448->43449 43452 6c8ed87e 43449->43452 43453 6c8ed89b 43452->43453 43456 6c8e0406 GetNumberFormatW 43453->43456 43458 6c8e6bae 14 API calls __dosmaperr 43453->43458 43455 6c8ed901 43459 6c8e692f 36 API calls __wsopen_s 43455->43459 43456->43268 43458->43455 43459->43456 43461 6c8d866a __DllMainCRTStartup@12 43460->43461 43462 6c8da4b0 __DllMainCRTStartup@12 38 API calls 43461->43462 43463 6c8d8691 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43461->43463 43462->43463 43463->43063 43465 6c8da52a __DllMainCRTStartup@12 43464->43465 43468 6c8da5e5 43465->43468 43467 6c8d4a40 43467->42019 43469 6c8da64f 43468->43469 43471 6c8da605 __DllMainCRTStartup@12 43468->43471 43472 6c8d2260 43469->43472 43471->43467 43473 6c8d228a __DllMainCRTStartup@12 43472->43473 43475 6c8d2297 __DllMainCRTStartup@12 43473->43475 43480 6c8da468 38 API calls __DllMainCRTStartup@12 43473->43480 43476 6c8da4b0 __DllMainCRTStartup@12 38 API calls 43475->43476 43477 6c8d22da __DllMainCRTStartup@12 43476->43477 43479 6c8d233f __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43477->43479 43481 6c8dab1f 36 API calls __DllMainCRTStartup@12 43477->43481 43479->43471 43480->43475 43481->43479 43482->43069 43496 6c8e8e57 43483->43496 43486 6c8e8efd 43488 6c8e8e3a 43486->43488 43541 6c8e8d88 43488->43541 43491 6c8f5b29 DeleteFileW 43492 6c8f5b4d 43491->43492 43493 6c8f5b3b GetLastError 43491->43493 43492->43083 43566 6c8e6b54 14 API calls __dosmaperr 43493->43566 43495 6c8f5b47 43495->43083 43497 6c8e8e6e 43496->43497 43498 6c8e8e75 43496->43498 43497->43486 43504 6c8f2cec 5 API calls std::_Lockit::_Lockit 43497->43504 43498->43497 43505 6c8f02dc GetLastError 43498->43505 43502 6c8e8eac 43533 6c8f292a 36 API calls __wsopen_s 43502->43533 43504->43486 43506 6c8f02f8 43505->43506 43507 6c8f02f2 43505->43507 43511 6c8f02fc SetLastError 43506->43511 43535 6c8f2e79 6 API calls std::_Lockit::_Lockit 43506->43535 43534 6c8f2e3a 6 API calls std::_Lockit::_Lockit 43507->43534 43510 6c8f0314 43510->43511 43513 6c8f2682 __Getctype 14 API calls 43510->43513 43515 6c8e8e96 43511->43515 43516 6c8f0391 43511->43516 43514 6c8f0329 43513->43514 43517 6c8f0342 43514->43517 43518 6c8f0331 43514->43518 43532 6c8f28cc 36 API calls __Getctype 43515->43532 43540 6c8eee79 36 API calls __FrameHandler3::FrameUnwindToState 43516->43540 43537 6c8f2e79 6 API calls std::_Lockit::_Lockit 43517->43537 43536 6c8f2e79 6 API calls std::_Lockit::_Lockit 43518->43536 43523 6c8f033f 43527 6c8f26df ___free_lconv_mon 14 API calls 43523->43527 43524 6c8f034e 43525 6c8f0369 43524->43525 43526 6c8f0352 43524->43526 43539 6c8f00de 14 API calls __Getctype 43525->43539 43538 6c8f2e79 6 API calls std::_Lockit::_Lockit 43526->43538 43527->43511 43530 6c8f0374 43531 6c8f26df ___free_lconv_mon 14 API calls 43530->43531 43531->43511 43532->43502 43533->43497 43534->43506 43535->43510 43536->43523 43537->43524 43538->43523 43539->43530 43542 6c8e8d96 43541->43542 43543 6c8e8db0 43541->43543 43559 6c8e8f18 14 API calls ___free_lconv_mon 43542->43559 43545 6c8e8dd6 43543->43545 43546 6c8e8db7 43543->43546 43561 6c8f5aad MultiByteToWideChar 43545->43561 43550 6c8e8da0 43546->43550 43560 6c8e8f32 15 API calls __wsopen_s 43546->43560 43549 6c8e8de5 43551 6c8e8dec GetLastError 43549->43551 43553 6c8e8e12 43549->43553 43564 6c8e8f32 15 API calls __wsopen_s 43549->43564 43550->43083 43550->43491 43562 6c8e6b54 14 API calls __dosmaperr 43551->43562 43553->43550 43565 6c8f5aad MultiByteToWideChar 43553->43565 43555 6c8e8df8 43563 6c8e6bae 14 API calls __dosmaperr 43555->43563 43557 6c8e8e29 43557->43550 43557->43551 43559->43550 43560->43550 43561->43549 43562->43555 43563->43550 43564->43553 43565->43557 43566->43495 43567->43103 43569 6c8da5cd __DllMainCRTStartup@12 43568->43569 43570 6c8da5e5 __DllMainCRTStartup@12 38 API calls 43569->43570 43571 6c8d4a6f 43570->43571 43571->42349 43572 2de175f5 43593 2de1793e 43572->43593 43574 2de17601 GetStartupInfoA 43575 2de1762f InterlockedCompareExchange 43574->43575 43576 2de17641 43575->43576 43577 2de1763d 43575->43577 43579 2de17661 _amsg_exit 43576->43579 43580 2de1766b 43576->43580 43577->43576 43578 2de17648 Sleep 43577->43578 43578->43575 43581 2de17694 43579->43581 43580->43581 43582 2de17674 _initterm_e 43580->43582 43583 2de176a3 _initterm 43581->43583 43584 2de176be 43581->43584 43582->43581 43585 2de1768f __onexit 43582->43585 43583->43584 43586 2de176c2 InterlockedExchange 43584->43586 43587 2de176ca __IsNonwritableInCurrentImage 43584->43587 43586->43587 43588 2de17759 _ismbblead 43587->43588 43590 2de17743 exit 43587->43590 43591 2de1779e 43587->43591 43594 2de16528 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z 43587->43594 43588->43587 43590->43587 43591->43585 43592 2de177a7 _cexit 43591->43592 43592->43585 43593->43574 43634 2de171bb _setmbcp 43594->43634 43597 2de16596 43689 2de15923 10 API calls 3 library calls 43597->43689 43600 2de1659b 43601 2de165a4 free 43600->43601 43602 2de165af 43600->43602 43601->43602 43603 2de165bd 43602->43603 43690 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43602->43690 43605 2de165ce 43603->43605 43691 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43603->43691 43607 2de165df 43605->43607 43692 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43605->43692 43610 2de165f0 43607->43610 43693 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43607->43693 43608 2de1656d 43688 2de170d1 41 API calls Mailbox 43608->43688 43612 2de16601 43610->43612 43694 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43610->43694 43695 2de1641b ??_V@YAXPAX ??3@YAXPAX __EH_prolog3 Mailbox ~_Task_impl 43612->43695 43615 2de1660f 43696 2de1641b ??_V@YAXPAX ??3@YAXPAX __EH_prolog3 Mailbox ~_Task_impl 43615->43696 43617 2de1661a 43697 2de166b3 ??3@YAXPAX __EH_prolog3 Mailbox ~_Task_impl 43617->43697 43619 2de16625 43619->43587 43635 2de171e3 43634->43635 43698 2de116d6 43635->43698 43637 2de17251 43638 2de16555 43637->43638 43639 2de1725a 43637->43639 43638->43608 43644 2de1819e 43638->43644 43647 2de050c9 GetModuleHandleW 43638->43647 43652 2de181fd 43638->43652 43655 2de1820a 43638->43655 43658 2de181f0 43638->43658 43661 2de18254 43638->43661 43664 2de18234 43638->43664 43667 2de18217 43638->43667 43670 2de181d6 43638->43670 43673 2de181e3 43638->43673 43676 2de181c9 43638->43676 43679 2de18244 43638->43679 43682 2de181bc 43638->43682 43685 2de18224 43638->43685 43712 2de15e3d 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 43639->43712 43641 2de1725f 43642 2de1726c 43641->43642 43713 2de11766 41 API calls 2 library calls 43641->43713 43642->43638 43645 2de181a0 43644->43645 43788 2de18a22 43645->43788 43648 2de05108 43647->43648 43649 2de050db GetProcAddress GetProcAddress 43647->43649 43648->43608 43649->43648 43650 2de050f9 43649->43650 43650->43648 43651 2de05104 SetProcessDEPPolicy 43650->43651 43651->43648 43653 2de181a0 43652->43653 43654 2de18a22 ___delayLoadHelper2@8 11 API calls 43653->43654 43654->43653 43657 2de181a0 43655->43657 43656 2de18a22 ___delayLoadHelper2@8 11 API calls 43656->43657 43657->43656 43659 2de181a0 43658->43659 43660 2de18a22 ___delayLoadHelper2@8 11 API calls 43659->43660 43660->43659 43662 2de181a0 43661->43662 43663 2de18a22 ___delayLoadHelper2@8 11 API calls 43662->43663 43663->43662 43665 2de181a0 43664->43665 43666 2de18a22 ___delayLoadHelper2@8 11 API calls 43665->43666 43666->43665 43668 2de181a0 43667->43668 43669 2de18a22 ___delayLoadHelper2@8 11 API calls 43668->43669 43669->43668 43671 2de181a0 43670->43671 43672 2de18a22 ___delayLoadHelper2@8 11 API calls 43671->43672 43672->43671 43674 2de181a0 43673->43674 43674->43673 43675 2de18a22 ___delayLoadHelper2@8 11 API calls 43674->43675 43675->43674 43677 2de181a0 43676->43677 43678 2de18a22 ___delayLoadHelper2@8 11 API calls 43677->43678 43678->43677 43681 2de181a0 43679->43681 43680 2de18a22 ___delayLoadHelper2@8 11 API calls 43680->43681 43681->43680 43683 2de181a0 43682->43683 43684 2de18a22 ___delayLoadHelper2@8 11 API calls 43683->43684 43684->43683 43686 2de181a0 43685->43686 43687 2de18a22 ___delayLoadHelper2@8 11 API calls 43686->43687 43687->43686 43688->43597 43689->43600 43690->43603 43691->43605 43692->43607 43693->43610 43694->43612 43695->43615 43696->43617 43697->43619 43714 2de179af 43698->43714 43700 2de116e2 GetClassInfoA 43701 2de116f9 43700->43701 43704 2de11704 ~_Task_impl 43700->43704 43715 2de10d75 43701->43715 43703 2de116ff 43703->43704 43722 2de189ba EnterCriticalSection 43703->43722 43704->43637 43706 2de11718 43723 2de137f9 10 API calls Mailbox 43706->43723 43708 2de11720 43724 2de13812 16 API calls Mailbox 43708->43724 43710 2de11750 43725 2de189d6 LeaveCriticalSection 43710->43725 43712->43641 43713->43642 43714->43700 43716 2de10d81 __onexit 43715->43716 43717 2de10d9e RegisterClassA 43716->43717 43726 2de03e45 43716->43726 43735 2de10dca 8 API calls Mailbox 43717->43735 43721 2de10dbc __onexit 43721->43703 43722->43706 43723->43708 43724->43710 43725->43704 43727 2de03e53 OutputDebugStringA 43726->43727 43728 2de03e5e 43726->43728 43727->43728 43729 2de03e73 43728->43729 43734 2de03e89 43728->43734 43736 2de03c77 43728->43736 43733 2de03e8e GetLastError 43729->43733 43760 2de03c05 43729->43760 43733->43734 43734->43717 43734->43721 43735->43721 43738 2de03c86 Mailbox 43736->43738 43737 2de03e2b 43776 2de1790d 7 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 43737->43776 43738->43737 43740 2de038b7 Mailbox 6 API calls 43738->43740 43742 2de03cba 43738->43742 43740->43742 43741 2de03e35 43741->43729 43742->43737 43758 2de03db4 43742->43758 43764 2de038b7 43742->43764 43744 2de03c05 Mailbox 6 API calls 43745 2de03ded 43744->43745 43745->43737 43771 2de03c51 43745->43771 43749 2de03d1d GetModuleFileNameW 43749->43737 43752 2de03d47 43749->43752 43750 2de03e18 LoadLibraryW 43751 2de03e1f 43750->43751 43775 2de03e38 6 API calls Mailbox 43751->43775 43754 2de03d5a 43752->43754 43755 2de03d4d SetLastError 43752->43755 43767 2de03bdc 43754->43767 43755->43737 43758->43737 43758->43744 43759 2de03da7 GetLastError 43759->43758 43761 2de03c11 43760->43761 43762 2de03c1b 43760->43762 43763 2de038b7 Mailbox 6 API calls 43761->43763 43762->43733 43762->43734 43763->43762 43777 2de0381e 43764->43777 43768 2de03bf2 43767->43768 43769 2de03be8 43767->43769 43768->43758 43768->43759 43770 2de038b7 Mailbox 6 API calls 43769->43770 43770->43768 43772 2de03c67 43771->43772 43773 2de03c5d 43771->43773 43772->43750 43772->43751 43774 2de038b7 Mailbox 6 API calls 43773->43774 43774->43772 43775->43737 43776->43741 43778 2de03862 43777->43778 43779 2de03837 GetVersion 43777->43779 43782 2de03871 GetProcAddress 43778->43782 43783 2de0387e 43778->43783 43780 2de03858 43779->43780 43781 2de0383d GetFileAttributesW GetModuleHandleA 43779->43781 43780->43778 43781->43780 43782->43783 43784 2de038ad 43782->43784 43785 2de038a4 GetProcAddress 43783->43785 43786 2de03888 GetVersion 43783->43786 43784->43737 43784->43749 43785->43784 43787 2de03891 43786->43787 43787->43784 43787->43785 43789 2de18a89 RaiseException 43788->43789 43790 2de18aa8 43788->43790 43793 2de18c36 43789->43793 43791 2de18aec 43790->43791 43808 2de05065 43790->43808 43792 2de18b15 LoadLibraryA 43791->43792 43791->43793 43794 2de18b65 InterlockedExchange 43791->43794 43801 2de18ba0 43791->43801 43792->43794 43795 2de18b24 GetLastError 43792->43795 43793->43645 43798 2de18b73 43794->43798 43799 2de18b99 FreeLibrary 43794->43799 43796 2de18b44 RaiseException 43795->43796 43797 2de18b36 43795->43797 43796->43793 43797->43794 43797->43796 43798->43801 43803 2de18b79 LocalAlloc 43798->43803 43799->43801 43800 2de18beb GetProcAddress 43800->43793 43802 2de18bfb GetLastError 43800->43802 43801->43793 43801->43800 43804 2de18c0d 43802->43804 43803->43801 43805 2de18b87 43803->43805 43804->43793 43806 2de18c1b RaiseException 43804->43806 43805->43801 43806->43793 43809 2de0507e 43808->43809 43813 2de0508a 43808->43813 43810 2de05027 lstrcmpiA 43809->43810 43810->43813 43811 2de050c0 43811->43791 43813->43811 43814 2de05027 lstrcmpiA 43813->43814 43815 2de0503c 43814->43815 43815->43813 43816 2de178b5 43820 2de174de GetModuleHandleW GetProcAddress 43816->43820 43818 2de178ba 43819 2de174de 10 API calls 43818->43819 43819->43818 43821 2de17513 6 API calls 43820->43821 43822 2de17504 GetProcessHeap 43820->43822 43823 2de17577 VirtualProtect 43821->43823 43824 2de1756d 43821->43824 43822->43821 43823->43818 43824->43823 43825 2de16019 43828 2de15fcc 43825->43828 43829 2de15fd5 KiUserCallbackDispatcher GetSystemMetrics 43828->43829 43830 2de15ffb GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 43828->43830 43829->43830 43831 6c8d7c93 44071 6c8d122e 43831->44071 43833 6c8d7cbc 44079 6c8d4515 43833->44079 43835 6c8d7cd3 RpcStringFreeA 43840 6c8d585e _strcat __fread_nolock _strncpy __DllMainCRTStartup@12 43835->43840 43836 6c8e6ee3 23 API calls __DllMainCRTStartup@12 43836->43840 43837 6c8d7d13 43838 6c8d4149 __DllMainCRTStartup@12 36 API calls 43837->43838 43839 6c8d7d1e 43838->43839 43841 6c8d4149 __DllMainCRTStartup@12 36 API calls 43839->43841 43840->43835 43840->43836 43840->43837 43843 6c8d589d CreateFileA 43840->43843 43861 6c8d15ca 38 API calls __DllMainCRTStartup@12 43840->43861 43894 6c8d80d7 44 API calls __DllMainCRTStartup@12 43840->43894 43906 6c8d7fae 46 API calls __DllMainCRTStartup@12 43840->43906 43911 6c8d320c 38 API calls __DllMainCRTStartup@12 43840->43911 43959 6c8d5e06 __DllMainCRTStartup@12 43840->43959 43967 6c8d7c2b Sleep 43840->43967 43982 6c8d4218 36 API calls __DllMainCRTStartup@12 43840->43982 44019 6c8d170a __DllMainCRTStartup@12 38 API calls 43840->44019 44028 6c8dcafb __DllMainCRTStartup@12 38 API calls 43840->44028 44035 6c8d5ffd _strcat __fread_nolock __DllMainCRTStartup@12 43840->44035 44044 6c8d4149 36 API calls __DllMainCRTStartup@12 43840->44044 44048 6c8d30d6 38 API calls __DllMainCRTStartup@12 43840->44048 44050 6c8d44b1 38 API calls __DllMainCRTStartup@12 43840->44050 44060 6c8d15a7 38 API calls __DllMainCRTStartup@12 43840->44060 44062 6c8d1584 38 API calls __DllMainCRTStartup@12 43840->44062 44063 6c8d4a2e 38 API calls __DllMainCRTStartup@12 43840->44063 44088 6c8d326b 38 API calls 2 library calls 43840->44088 44096 6c8d4481 36 API calls __DllMainCRTStartup@12 43840->44096 44097 6c8d4a44 38 API calls __DllMainCRTStartup@12 43840->44097 44098 6c8e792e 39 API calls 2 library calls 43840->44098 44099 6c8ddba9 38 API calls __DllMainCRTStartup@12 43840->44099 44100 6c8d156a 38 API calls __DllMainCRTStartup@12 43840->44100 44101 6c8ddbbe 38 API calls __DllMainCRTStartup@12 43840->44101 44104 6c8dc9e5 41 API calls 3 library calls 43840->44104 43842 6c8d7d29 43841->43842 43844 6c8d4149 __DllMainCRTStartup@12 36 API calls 43842->43844 43845 6c8d4149 __DllMainCRTStartup@12 36 API calls 43843->43845 43846 6c8d7d34 43844->43846 43847 6c8d58b5 43845->43847 43848 6c8d4149 __DllMainCRTStartup@12 36 API calls 43846->43848 43849 6c8d5a41 RpcStringBindingComposeA RpcBindingFromStringBindingA 43847->43849 43852 6c8d58cf 43847->43852 43851 6c8d7d3f 43848->43851 43850 6c8d44b1 __DllMainCRTStartup@12 38 API calls 43849->43850 43850->43840 43854 6c8d4149 __DllMainCRTStartup@12 36 API calls 43851->43854 43853 6c8d4149 __DllMainCRTStartup@12 36 API calls 43852->43853 43855 6c8d58e1 43853->43855 43856 6c8d7d4a 43854->43856 43857 6c8d4149 __DllMainCRTStartup@12 36 API calls 43855->43857 43858 6c8d4149 __DllMainCRTStartup@12 36 API calls 43856->43858 43860 6c8d58ec 43857->43860 43859 6c8d7d55 43858->43859 43862 6c8d4149 __DllMainCRTStartup@12 36 API calls 43859->43862 43863 6c8d4149 __DllMainCRTStartup@12 36 API calls 43860->43863 43861->43840 43864 6c8d7d60 43862->43864 43865 6c8d58f7 43863->43865 43866 6c8d4149 __DllMainCRTStartup@12 36 API calls 43864->43866 43867 6c8d4149 __DllMainCRTStartup@12 36 API calls 43865->43867 43868 6c8d7d6b 43866->43868 43869 6c8d5902 43867->43869 43870 6c8d4149 __DllMainCRTStartup@12 36 API calls 43868->43870 43871 6c8d4149 __DllMainCRTStartup@12 36 API calls 43869->43871 43872 6c8d7d76 43870->43872 43873 6c8d590d 43871->43873 43874 6c8d4149 __DllMainCRTStartup@12 36 API calls 43872->43874 43875 6c8d4149 __DllMainCRTStartup@12 36 API calls 43873->43875 43876 6c8d7d81 43874->43876 43877 6c8d5918 43875->43877 43878 6c8d4149 __DllMainCRTStartup@12 36 API calls 43876->43878 43879 6c8d4149 __DllMainCRTStartup@12 36 API calls 43877->43879 43880 6c8d7d8c 43878->43880 43881 6c8d5923 43879->43881 43882 6c8d4149 __DllMainCRTStartup@12 36 API calls 43880->43882 43883 6c8d4149 __DllMainCRTStartup@12 36 API calls 43881->43883 43884 6c8d7d97 43882->43884 43885 6c8d592e 43883->43885 43887 6c8d4149 __DllMainCRTStartup@12 36 API calls 43884->43887 43886 6c8d4149 __DllMainCRTStartup@12 36 API calls 43885->43886 43888 6c8d5939 43886->43888 43889 6c8d7da2 43887->43889 43890 6c8d4149 __DllMainCRTStartup@12 36 API calls 43888->43890 43891 6c8d4149 __DllMainCRTStartup@12 36 API calls 43889->43891 43893 6c8d5944 43890->43893 43892 6c8d7dad 43891->43892 43895 6c8d4149 __DllMainCRTStartup@12 36 API calls 43892->43895 43896 6c8d4149 __DllMainCRTStartup@12 36 API calls 43893->43896 43894->43840 43897 6c8d7db8 43895->43897 43898 6c8d594f 43896->43898 43900 6c8d4149 __DllMainCRTStartup@12 36 API calls 43897->43900 43901 6c8d4149 __DllMainCRTStartup@12 36 API calls 43898->43901 43902 6c8d7dc3 43900->43902 43903 6c8d595a 43901->43903 43904 6c8d4149 __DllMainCRTStartup@12 36 API calls 43902->43904 43905 6c8d4149 __DllMainCRTStartup@12 36 API calls 43903->43905 43907 6c8d7dce 43904->43907 43908 6c8d5965 43905->43908 43906->43840 43909 6c8d4149 __DllMainCRTStartup@12 36 API calls 43907->43909 43910 6c8d4149 __DllMainCRTStartup@12 36 API calls 43908->43910 43912 6c8d7dd9 43909->43912 43913 6c8d5970 43910->43913 43911->43840 43914 6c8d4149 __DllMainCRTStartup@12 36 API calls 43912->43914 43915 6c8d4149 __DllMainCRTStartup@12 36 API calls 43913->43915 43916 6c8d7de4 43914->43916 43917 6c8d597b 43915->43917 43918 6c8d4149 __DllMainCRTStartup@12 36 API calls 43916->43918 43919 6c8d4149 __DllMainCRTStartup@12 36 API calls 43917->43919 43920 6c8d7def 43918->43920 43921 6c8d5986 43919->43921 43923 6c8d4149 __DllMainCRTStartup@12 36 API calls 43920->43923 43922 6c8d4149 __DllMainCRTStartup@12 36 API calls 43921->43922 43924 6c8d5991 43922->43924 43925 6c8d7dfa 43923->43925 43926 6c8d4149 __DllMainCRTStartup@12 36 API calls 43924->43926 43927 6c8d4149 __DllMainCRTStartup@12 36 API calls 43925->43927 43929 6c8d599c 43926->43929 43928 6c8d7e05 43927->43928 43930 6c8d4149 __DllMainCRTStartup@12 36 API calls 43928->43930 43931 6c8d4149 __DllMainCRTStartup@12 36 API calls 43929->43931 43932 6c8d7e10 43930->43932 43933 6c8d59a7 43931->43933 43934 6c8d4149 __DllMainCRTStartup@12 36 API calls 43932->43934 43935 6c8d4149 __DllMainCRTStartup@12 36 API calls 43933->43935 43936 6c8d7e1b 43934->43936 43937 6c8d59b2 43935->43937 43938 6c8d4149 __DllMainCRTStartup@12 36 API calls 43936->43938 43939 6c8d4149 __DllMainCRTStartup@12 36 API calls 43937->43939 43940 6c8d7e26 43938->43940 43941 6c8d59bd 43939->43941 43942 6c8d4149 __DllMainCRTStartup@12 36 API calls 43940->43942 43943 6c8d4149 __DllMainCRTStartup@12 36 API calls 43941->43943 43944 6c8d7e31 43942->43944 43945 6c8d59c8 43943->43945 43946 6c8d4149 __DllMainCRTStartup@12 36 API calls 43944->43946 43947 6c8d4149 __DllMainCRTStartup@12 36 API calls 43945->43947 43948 6c8d7e3c 43946->43948 43949 6c8d59d3 43947->43949 43950 6c8d4149 __DllMainCRTStartup@12 36 API calls 43948->43950 43951 6c8d4149 __DllMainCRTStartup@12 36 API calls 43949->43951 43952 6c8d7e47 43950->43952 43953 6c8d59de 43951->43953 43955 6c8d4149 __DllMainCRTStartup@12 36 API calls 43952->43955 43954 6c8d4149 __DllMainCRTStartup@12 36 API calls 43953->43954 43956 6c8d59e9 43954->43956 43957 6c8d7e52 43955->43957 43958 6c8d4149 __DllMainCRTStartup@12 36 API calls 43956->43958 43960 6c8d4149 __DllMainCRTStartup@12 36 API calls 43957->43960 43962 6c8d59f4 43958->43962 43968 6c8d5e23 __DllMainCRTStartup@12 43959->43968 43980 6c8d5eb0 __DllMainCRTStartup@12 43959->43980 43961 6c8d7e5d 43960->43961 43963 6c8d4149 __DllMainCRTStartup@12 36 API calls 43961->43963 43964 6c8d4149 __DllMainCRTStartup@12 36 API calls 43962->43964 43965 6c8d7e68 43963->43965 43966 6c8d59ff 43964->43966 43969 6c8d5a36 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43965->43969 43970 6c8d4149 __DllMainCRTStartup@12 36 API calls 43965->43970 43971 6c8d4149 __DllMainCRTStartup@12 36 API calls 43966->43971 43967->43840 44089 6c8d163c 38 API calls __DllMainCRTStartup@12 43968->44089 43970->43969 43972 6c8d5a0a 43971->43972 43975 6c8d4149 __DllMainCRTStartup@12 36 API calls 43972->43975 43973 6c8d5eab 43977 6c8d5a15 43975->43977 43976 6c8d5e4d 44090 6c8d4481 36 API calls __DllMainCRTStartup@12 43976->44090 43979 6c8d4149 __DllMainCRTStartup@12 36 API calls 43977->43979 43983 6c8d5a20 43979->43983 43980->43973 43986 6c8dcafb __DllMainCRTStartup@12 38 API calls 43980->43986 43981 6c8d5e5c 43984 6c8d4149 __DllMainCRTStartup@12 36 API calls 43981->43984 43982->43840 43985 6c8d4149 __DllMainCRTStartup@12 36 API calls 43983->43985 43987 6c8d5e67 __DllMainCRTStartup@12 43984->43987 43988 6c8d5a2b 43985->43988 43989 6c8d5f0d 43986->43989 44091 6c8d163c 38 API calls __DllMainCRTStartup@12 43987->44091 43990 6c8d4149 __DllMainCRTStartup@12 36 API calls 43988->43990 44093 6c8dc14f 38 API calls __DllMainCRTStartup@12 43989->44093 43990->43969 43991 6c8e8f90 __DllMainCRTStartup@12 41 API calls 43991->44035 43994 6c8d5e91 44092 6c8d4481 36 API calls __DllMainCRTStartup@12 43994->44092 43995 6c8d603e CreateFileA 43995->44035 43997 6c8d5f1f __DllMainCRTStartup@12 44000 6c8dcafb __DllMainCRTStartup@12 38 API calls 43997->44000 43998 6c8d5ea0 43999 6c8d4149 __DllMainCRTStartup@12 36 API calls 43998->43999 43999->43973 44002 6c8d5f69 44000->44002 44001 6c8d606a WriteFile CloseHandle 44001->44035 44094 6c8dc14f 38 API calls __DllMainCRTStartup@12 44002->44094 44004 6c8d5f7b 44006 6c8d44b1 __DllMainCRTStartup@12 38 API calls 44004->44006 44005 6c8d7c1e Sleep 44005->43840 44007 6c8d5f98 44006->44007 44008 6c8d44b1 __DllMainCRTStartup@12 38 API calls 44007->44008 44010 6c8d5fa8 44008->44010 44009 6c8d320c __DllMainCRTStartup@12 38 API calls 44009->44035 44011 6c8d4149 __DllMainCRTStartup@12 36 API calls 44010->44011 44012 6c8d5fb3 44011->44012 44012->43973 44013 6c8d4149 __DllMainCRTStartup@12 36 API calls 44012->44013 44013->43973 44014 6c8d4a5d 38 API calls __DllMainCRTStartup@12 44014->44035 44015 6c8d4a2e 38 API calls __DllMainCRTStartup@12 44015->44035 44016 6c8d30d6 38 API calls __DllMainCRTStartup@12 44016->44035 44018 6c8d16a1 __DllMainCRTStartup@12 38 API calls 44018->44035 44019->43840 44022 6c8d15ca 38 API calls __DllMainCRTStartup@12 44022->44035 44023 6c8d7454 WinExec 44024 6c8d15ca __DllMainCRTStartup@12 38 API calls 44023->44024 44024->44035 44025 6c8d7816 WinExec Sleep 44026 6c8d320c __DllMainCRTStartup@12 38 API calls 44025->44026 44057 6c8d7838 _strcat __fread_nolock _strncpy __DllMainCRTStartup@12 44026->44057 44027 6c8dcafb __DllMainCRTStartup@12 38 API calls 44027->44035 44028->43840 44029 6c8d1584 38 API calls __DllMainCRTStartup@12 44029->44035 44033 6c8dc498 82 API calls __DllMainCRTStartup@12 44033->44057 44035->43991 44035->43995 44035->44001 44035->44005 44035->44009 44035->44014 44035->44015 44035->44016 44035->44018 44035->44022 44035->44023 44035->44025 44035->44027 44035->44029 44037 6c8d4149 36 API calls __DllMainCRTStartup@12 44035->44037 44059 6c8d80d7 44 API calls __DllMainCRTStartup@12 44035->44059 44065 6c8d6ed9 PathFileExistsA 44035->44065 44066 6c8d44b1 38 API calls __DllMainCRTStartup@12 44035->44066 44067 6c8d6eef DeleteFileA 44035->44067 44068 6c8d6f2e CreateFileA WriteFile CloseHandle 44035->44068 44070 6c8d6f85 PathFileExistsA 44035->44070 44095 6c8d4481 36 API calls __DllMainCRTStartup@12 44035->44095 44102 6c8d2e9d 102 API calls __DllMainCRTStartup@12 44035->44102 44103 6c8d4a73 67 API calls __DllMainCRTStartup@12 44035->44103 44037->44035 44038 6c8d4149 __DllMainCRTStartup@12 36 API calls 44038->44005 44041 6c8d44b1 __DllMainCRTStartup@12 38 API calls 44041->44057 44043 6c8d4a5d __DllMainCRTStartup@12 38 API calls 44043->44057 44044->43840 44045 6c8d320c 38 API calls __DllMainCRTStartup@12 44045->44057 44046 6c8d15ca __DllMainCRTStartup@12 38 API calls 44046->44057 44047 6c8d1584 38 API calls __DllMainCRTStartup@12 44047->44057 44048->43840 44049 6c8d4a2e __DllMainCRTStartup@12 38 API calls 44049->44057 44050->43840 44052 6c8dcafb 38 API calls __DllMainCRTStartup@12 44052->44057 44053 6c8e8f90 __DllMainCRTStartup@12 41 API calls 44053->44057 44054 6c8d4481 36 API calls __DllMainCRTStartup@12 44054->44057 44056 6c8d4149 36 API calls __DllMainCRTStartup@12 44056->44057 44057->44033 44057->44038 44057->44041 44057->44043 44057->44045 44057->44046 44057->44047 44057->44049 44057->44052 44057->44053 44057->44054 44057->44056 44058 6c8d80d7 44 API calls __DllMainCRTStartup@12 44057->44058 44105 6c8d2e9d 102 API calls __DllMainCRTStartup@12 44057->44105 44106 6c8ddada 82 API calls 2 library calls 44057->44106 44107 6c8dc2be 82 API calls 2 library calls 44057->44107 44108 6c8daaa8 69 API calls __DllMainCRTStartup@12 44057->44108 44109 6c8d4a73 67 API calls __DllMainCRTStartup@12 44057->44109 44058->44057 44059->44035 44060->43840 44062->43840 44063->43840 44065->44035 44066->44035 44067->44035 44069 6c8d44b1 __DllMainCRTStartup@12 38 API calls 44068->44069 44069->44035 44070->44035 44073 6c8d1269 __DllMainCRTStartup@12 44071->44073 44110 6c8d3ee1 44073->44110 44077 6c8d14d4 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 44077->43833 44078 6c8d12fb __DllMainCRTStartup@12 44114 6c8dc804 44078->44114 44080 6c8d3ee1 __DllMainCRTStartup@12 46 API calls 44079->44080 44081 6c8d4556 __DllMainCRTStartup@12 44080->44081 44087 6c8d4583 std::ios_base::_Ios_base_dtor __DllMainCRTStartup@12 44081->44087 44145 6c8d2bc5 44081->44145 44082 6c8dc804 __DllMainCRTStartup@12 38 API calls 44083 6c8d4632 44082->44083 44084 6c8d441a __DllMainCRTStartup@12 46 API calls 44083->44084 44086 6c8d4640 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 44084->44086 44086->43840 44087->44082 44088->43840 44089->43976 44090->43981 44091->43994 44092->43998 44093->43997 44094->44004 44095->44035 44096->43840 44097->43840 44098->43840 44099->43840 44100->43840 44101->43840 44102->44035 44103->44035 44104->43840 44105->44057 44106->44057 44107->44057 44108->44057 44109->44057 44111 6c8d3ef4 __DllMainCRTStartup@12 44110->44111 44113 6c8d3f0b __DllMainCRTStartup@12 44111->44113 44123 6c8db79e 46 API calls 2 library calls 44111->44123 44113->44078 44115 6c8dc816 __DllMainCRTStartup@12 44114->44115 44124 6c8da979 44115->44124 44118 6c8d441a 44139 6c8e0c47 44118->44139 44120 6c8d4427 44121 6c8d4450 __DllMainCRTStartup@12 44120->44121 44143 6c8d9e71 38 API calls __DllMainCRTStartup@12 44120->44143 44121->44077 44123->44113 44125 6c8da98a 44124->44125 44128 6c8da9c5 44125->44128 44129 6c8d14c6 44128->44129 44130 6c8da9ee 44128->44130 44129->44118 44131 6c8da9ff __DllMainCRTStartup@12 44130->44131 44136 6c8e497c RaiseException 44130->44136 44137 6c8d3db5 38 API calls __DllMainCRTStartup@12 44131->44137 44134 6c8daa41 44138 6c8e497c RaiseException 44134->44138 44136->44131 44137->44134 44138->44129 44139->44120 44140 6c8e5005 44139->44140 44144 6c8e536a 8 API calls ___vcrt_FlsGetValue 44140->44144 44142 6c8e500a 44142->44120 44143->44121 44144->44142 44159 6c8e09f5 44145->44159 44149 6c8d2c0e __DllMainCRTStartup@12 44181 6c8e0a4d LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 44149->44181 44150 6c8d2bf1 __DllMainCRTStartup@12 44150->44149 44171 6c8d900a 44150->44171 44153 6c8d2c8b __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 44153->44087 44155 6c8d2c29 44179 6c8da188 RaiseException _com_raise_error __DllMainCRTStartup@12 44155->44179 44157 6c8d2c30 __DllMainCRTStartup@12 44180 6c8e0dab 16 API calls std::_Facet_Register 44157->44180 44160 6c8e0a0b 44159->44160 44161 6c8e0a04 44159->44161 44163 6c8d2bdf 44160->44163 44183 6c8e1646 EnterCriticalSection 44160->44183 44182 6c8eddbb 6 API calls std::_Lockit::_Lockit 44161->44182 44165 6c8d4779 44163->44165 44166 6c8d47c4 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 44165->44166 44167 6c8d4794 44165->44167 44166->44150 44168 6c8e09f5 std::_Lockit::_Lockit 7 API calls 44167->44168 44169 6c8d479e 44168->44169 44184 6c8e0a4d LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 44169->44184 44172 6c8d2c22 44171->44172 44173 6c8d901a 44171->44173 44172->44155 44172->44157 44173->44172 44174 6c8e1bf5 std::_Facet_Register 16 API calls 44173->44174 44175 6c8d9029 __DllMainCRTStartup@12 44174->44175 44178 6c8d9046 44175->44178 44185 6c8d392d 44175->44185 44178->44172 44193 6c8d4255 68 API calls 3 library calls 44178->44193 44179->44149 44180->44149 44181->44153 44182->44163 44183->44163 44184->44166 44186 6c8e09f5 std::_Lockit::_Lockit 7 API calls 44185->44186 44187 6c8d393e __DllMainCRTStartup@12 44186->44187 44188 6c8d3995 44187->44188 44189 6c8d3986 44187->44189 44203 6c8e0c27 38 API calls 2 library calls 44188->44203 44194 6c8e0edd 44189->44194 44193->44172 44204 6c8ee027 44194->44204 44211 6c8f3091 44204->44211 44232 6c8f2a40 5 API calls std::_Lockit::_Lockit 44211->44232 44213 6c8f3096 44233 6c8f2a5a 5 API calls std::_Lockit::_Lockit 44213->44233 44215 6c8f309b 44234 6c8f2a74 5 API calls std::_Lockit::_Lockit 44215->44234 44217 6c8f30a0 44235 6c8f2a8e 5 API calls std::_Lockit::_Lockit 44217->44235 44219 6c8f30a5 44236 6c8f2aa8 5 API calls std::_Lockit::_Lockit 44219->44236 44221 6c8f30aa 44237 6c8f2ac2 5 API calls std::_Lockit::_Lockit 44221->44237 44223 6c8f30af 44238 6c8f2adc 5 API calls std::_Lockit::_Lockit 44223->44238 44225 6c8f30b4 44239 6c8f2af6 5 API calls std::_Lockit::_Lockit 44225->44239 44227 6c8f30b9 44240 6c8f2b2a 5 API calls std::_Lockit::_Lockit 44227->44240 44229 6c8f30be 44241 6c8f2b10 5 API calls std::_Lockit::_Lockit 44229->44241 44231 6c8f30c3 44231->44231 44232->44213 44233->44215 44234->44217 44235->44219 44236->44221 44237->44223 44238->44225 44239->44227 44240->44229 44241->44231 44242 2de19c6e GlobalAddAtomA

                        Executed Functions

                        Function 6C8D4F22 Relevance: 169.2, APIs: 48, Strings: 47, Instructions: 2972filesleepCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 6c8d4f22-6c8d50ac call 6c8e1e50 call 6c8d320c Sleep call 6c8de75b call 6c8d320c GetModuleFileNameA call 6c8d320c call 6c8db759 call 6c8dcafb call 6c8de75b call 6c8d320c call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 25 6c8d50ae-6c8d5124 CloseHandle Sleep call 6c8dcb90 call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 CloseHandle 0->25 26 6c8d5126-6c8d512c CloseHandle 0->26 28 6c8d5132-6c8d513f call 6c8d7e9f 25->28 26->28 34 6c8d5149-6c8d514c 28->34 36 6c8d514e-6c8d516f GetUserNameA call 6c8d320c 34->36 37 6c8d51c3-6c8d5346 call 6c8dea93 call 6c8de75b call 6c8d320c call 6c8d30d6 call 6c8d4a2e call 6c8de75b call 6c8d320c call 6c8d4a2e call 6c8d16a1 call 6c8d4a2e call 6c8d4149 call 6c8de75b call 6c8d320c call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 34->37 43 6c8d5174-6c8d517d call 6c8dba9b 36->43 84 6c8d5348-6c8d5363 ReadFile 37->84 85 6c8d5365-6c8d5378 37->85 49 6c8d517f-6c8d5189 43->49 50 6c8d518b 43->50 52 6c8d5192-6c8d51b2 call 6c8d4149 49->52 50->52 59 6c8d51b4 52->59 60 6c8d51b6-6c8d51c1 Sleep 52->60 59->37 60->34 86 6c8d538c-6c8d539f 84->86 87 6c8d537c call 6c8e1d63 85->87 88 6c8d537a 85->88 89 6c8d53a1 86->89 90 6c8d53a3 call 6c8e1d63 86->90 91 6c8d5381-6c8d5387 87->91 88->91 93 6c8d53a8-6c8d5853 CloseHandle call 6c8d320c * 2 call 6c8de75b call 6c8d320c call 6c8d15ca call 6c8da8f7 call 6c8e8f90 call 6c8d4149 Sleep call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b 89->93 90->93 91->86 181 6c8d585e-6c8d5861 93->181 182 6c8d5859 call 6c8d320c 93->182 183 6c8d5867-6c8d58bc call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 181->183 184 6c8d7d13-6c8d7e68 call 6c8d4149 * 31 181->184 182->181 198 6c8d5a41-6c8d5ce1 RpcStringBindingComposeA RpcBindingFromStringBindingA call 6c8d44b1 * 2 call 6c8d15ca call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8e47a0 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 183->198 199 6c8d58c2-6c8d58c9 183->199 373 6c8d7e73-6c8d7e8c call 6c8e1e3e 184->373 374 6c8d7e6e call 6c8d4149 184->374 265 6c8d5ce6-6c8d5e00 call 6c8d326b call 6c8d30d6 call 6c8d7fae call 6c8d320c call 6c8db564 call 6c8da89f call 6c8d2881 call 6c8da495 call 6c8d3862 call 6c8da495 call 6c8d3862 call 6c8d320c * 2 call 6c8dba9b 198->265 199->198 202 6c8d58cf-6c8d5a3c call 6c8d4149 * 32 199->202 202->373 354 6c8d5e06-6c8d5e1d call 6c8d46fe 265->354 355 6c8d5fc3-6c8d5fd0 call 6c8dc89e 265->355 369 6c8d5eb0-6c8d5ebd call 6c8dba9b 354->369 370 6c8d5e23-6c8d5eab call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 354->370 367 6c8d7c2b-6c8d7c31 Sleep 355->367 368 6c8d5fd6-6c8d5ff7 call 6c8d4714 call 6c8d14f6 355->368 372 6c8d7c37-6c8d7ced call 6c8d4149 * 2 call 6c8d4218 * 2 call 6c8d4149 * 2 RpcStringFreeA 367->372 396 6c8d5ffd-6c8d60ae call 6c8d30d6 call 6c8da8f7 call 6c8e8f90 call 6c8da8f7 CreateFileA call 6c8d4714 call 6c8da8f7 WriteFile CloseHandle call 6c8d4714 call 6c8da8f7 call 6c8ed4f0 call 6c8d4149 368->396 397 6c8d60b3-6c8d60d4 call 6c8d4714 call 6c8d14f6 368->397 385 6c8d5fbe 369->385 386 6c8d5ec3-6c8d5fb3 call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8d44b1 * 2 call 6c8d4149 369->386 370->385 459 6c8d7cef-6c8d7cf5 call 6c8e6ee3 372->459 460 6c8d7cfa-6c8d7d01 372->460 374->373 386->385 532 6c8d5fb9 call 6c8d4149 386->532 488 6c8d7c1e-6c8d7c29 Sleep 396->488 429 6c8d60da-6c8d6211 call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 397->429 430 6c8d6361-6c8d6382 call 6c8d4714 call 6c8d14f6 397->430 666 6c8d6218-6c8d621b 429->666 457 6c8d6388-6c8d6396 call 6c8dc89e 430->457 458 6c8d72c2-6c8d72e3 call 6c8d4714 call 6c8d14f6 430->458 481 6c8d72bd 457->481 482 6c8d639c-6c8d63de call 6c8d4714 call 6c8d30d6 call 6c8d4714 call 6c8d30d6 call 6c8d320c 457->482 495 6c8d72e9-6c8d73a2 call 6c8e47a0 call 6c8d320c call 6c8d30d6 call 6c8d4a5d call 6c8d4714 call 6c8d4a2e call 6c8d4a5d call 6c8da495 call 6c8d4714 call 6c8d2e9d call 6c8d4676 458->495 496 6c8d7556-6c8d7577 call 6c8d4714 call 6c8d14f6 458->496 459->460 469 6c8d7d0e 460->469 470 6c8d7d03-6c8d7d09 call 6c8e6ee3 460->470 469->181 470->469 481->488 546 6c8d63e5-6c8d63fb call 6c8d46fe 482->546 488->372 633 6c8d73a8-6c8d7442 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 495->633 634 6c8d7447-6c8d74f0 call 6c8da8f7 WinExec call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 495->634 527 6c8d757d-6c8d75c9 call 6c8e47a0 call 6c8d320c call 6c8d4714 call 6c8dc9e5 496->527 528 6c8d7763-6c8d7784 call 6c8d4714 call 6c8d14f6 496->528 574 6c8d75cf-6c8d7679 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 527->574 575 6c8d767e-6c8d7713 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 527->575 528->488 553 6c8d778a-6c8d787a call 6c8d30d6 * 2 call 6c8d4714 call 6c8d16a1 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8da8f7 WinExec Sleep call 6c8d320c call 6c8da495 call 6c8d2e9d call 6c8d47d5 528->553 532->385 562 6c8d63fd-6c8d6414 call 6c8d46fe 546->562 563 6c8d6447-6c8d668d call 6c8d30d6 call 6c8d4714 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8e47a0 call 6c8d320c call 6c8d15ca call 6c8d1584 * 6 call 6c8d15a7 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8da8f7 call 6c8e792e 546->563 741 6c8d7880-6c8d7a5c call 6c8dc498 call 6c8ddada call 6c8d472f call 6c8dc498 call 6c8e1c33 call 6c8dc2be call 6c8d44b1 call 6c8daaa8 call 6c8d4a5d call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 553->741 742 6c8d7bf2-6c8d7c19 call 6c8d4a73 call 6c8d4149 * 3 553->742 583 6c8d6438-6c8d6445 562->583 584 6c8d6416-6c8d6433 call 6c8d46fe call 6c8d4a44 562->584 881 6c8d677f-6c8d6799 call 6c8d1516 563->881 882 6c8d6693-6c8d677a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 563->882 708 6c8d7718-6c8d775e call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 574->708 575->708 583->546 584->583 778 6c8d74f5-6c8d7551 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4a73 call 6c8d4149 * 2 633->778 634->778 667 6c8d6346-6c8d635c call 6c8d4149 * 2 666->667 668 6c8d6221-6c8d6228 666->668 667->488 675 6c8d622a-6c8d629b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 668->675 676 6c8d62a5-6c8d6341 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 668->676 675->667 676->666 708->488 916 6c8d7a63-6c8d7a66 741->916 742->488 778->488 890 6c8d679f-6c8d67b3 881->890 891 6c8d727b-6c8d72b8 call 6c8d4149 * 6 881->891 882->891 894 6c8d67b5-6c8d67bb 890->894 895 6c8d67c1-6c8d6834 call 6c8e47a0 call 6c8e1c33 * 2 890->895 891->481 894->895 928 6c8d683b-6c8d683e 895->928 920 6c8d7a6c-6c8d7a73 916->920 921 6c8d7b8a-6c8d7bbb call 6c8da8f7 call 6c8e8f90 call 6c8e1c3c 916->921 926 6c8d7ae9-6c8d7b85 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 920->926 927 6c8d7a75-6c8d7adf call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 920->927 963 6c8d7bbd-6c8d7bc4 921->963 964 6c8d7bc6-6c8d7bd6 921->964 926->916 927->921 929 6c8d6afd-6c8d6d2a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8ed4f0 call 6c8d320c call 6c8d4a0a call 6c8d4149 call 6c8ddbbe call 6c8d14f6 928->929 930 6c8d6844-6c8d6a0b call 6c8d320c call 6c8ddba9 call 6c8d15ca call 6c8d1584 * 4 call 6c8d15a7 call 6c8d156a call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae 928->930 1118 6c8d6d2c-6c8d6d44 call 6c8d1540 929->1118 1119 6c8d6d50-6c8d6d6a call 6c8d1516 929->1119 1091 6c8d6a1a-6c8d6a30 930->1091 970 6c8d7bdc-6c8d7bed call 6c8d4149 * 2 963->970 964->970 970->742 1093 6c8d6a5b-6c8d6a79 1091->1093 1094 6c8d6a32-6c8d6a59 1091->1094 1097 6c8d6a7b-6c8d6aa0 call 6c8d4149 * 2 1093->1097 1098 6c8d6aa4-6c8d6ab5 1093->1098 1094->1091 1097->929 1102 6c8d6ab7-6c8d6ac1 1098->1102 1103 6c8d6ac3-6c8d6acf 1098->1103 1104 6c8d6ad5-6c8d6af8 call 6c8d4149 * 2 1102->1104 1103->1104 1104->928 1118->1119 1124 6c8d6d46 1118->1124 1125 6c8d6ec7-6c8d6ee2 call 6c8da8f7 PathFileExistsA 1119->1125 1126 6c8d6d70-6c8d6d88 call 6c8d1540 1119->1126 1124->1119 1131 6c8d6f04-6c8d6f0b 1125->1131 1132 6c8d6ee4-6c8d6ef8 call 6c8da8f7 DeleteFileA 1125->1132 1126->1125 1133 6c8d6d8e-6c8d6ec2 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 1126->1133 1136 6c8d717e-6c8d7225 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1131->1136 1137 6c8d6f11-6c8d6f8e call 6c8da8f7 CreateFileA WriteFile CloseHandle call 6c8d44b1 call 6c8da8f7 PathFileExistsA 1131->1137 1132->1131 1143 6c8d6efa 1132->1143 1223 6c8d722a-6c8d7276 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 * 2 1133->1223 1136->1223 1158 6c8d6f94-6c8d702e call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1137->1158 1159 6c8d7033-6c8d703a 1137->1159 1143->1131 1252 6c8d7179 1158->1252 1164 6c8d70df-6c8d7174 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1159->1164 1165 6c8d7040-6c8d70da call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1159->1165 1164->1252 1165->1252 1223->891 1252->1223
                        APIs
                        • Sleep.KERNELBASE(000003E8,58160781928836700431202065781531683322301950835055,7B4BA14C,?,?,?,?,?,?,6C8E4DE0,6C9118B0,000000FE,?,6C8D7E9A), ref: 6C8D4F76
                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?), ref: 6C8D4FD2
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,6C90438C,000000FF,?), ref: 6C8D508E
                        • CloseHandle.KERNELBASE(?), ref: 6C8D50B4
                        • Sleep.KERNELBASE(0000EA60), ref: 6C8D50BF
                          • Part of subcall function 6C8DCB90: CoInitializeEx.COMBASE(00000000,00000000,?,74732E646174), ref: 6C8DCBA9
                        • CreateFileA.KERNELBASE(00000000,?,?,?,80000000,00000000,00000000,00000001,00000080,00000000), ref: 6C8D5101
                        • CloseHandle.KERNELBASE(?,?,?,?,80000000,00000000,00000000,00000001,00000080,00000000), ref: 6C8D511E
                        • CloseHandle.KERNEL32(?), ref: 6C8D512C
                        • GetUserNameA.ADVAPI32(?,?), ref: 6C8D515C
                        • Sleep.KERNEL32(00000BB8,?), ref: 6C8D51BB
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,00000000,?,?,?,?,?,?), ref: 6C8D5328
                        • ReadFile.KERNEL32(?,?,0000000F,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 6C8D535D
                        • CloseHandle.KERNELBASE(?), ref: 6C8D53B9
                        • Sleep.KERNELBASE(?,?,?,?), ref: 6C8D5467
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • RpcStringBindingComposeA.RPCRT4(00000000,?,?,?,00000000,?), ref: 6C8D5BBF
                        • RpcBindingFromStringBindingA.RPCRT4(?,?), ref: 6C8D5BD8
                        • _strcat.LIBCMT ref: 6C8D5C8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleSleep$Binding$NameString$ComposeFromInitializeModuleReadUser_strcat
                        • String ID: ----$---------$2463616368652E646174$24746D702E747874$433A5C5C50726F6772616D446174615C5C$434D44$443$444C59$44574E$4552524F52$4552524F525245504C414345$48415348$4944$494E46$4E4554455252$4F4B$52554E$53495A45$53595354454D20494E464F524D4154494F4E205C6E$5645524946494544$58160781928836700431202065781531683322301950835055$5C6E5C6E205B50524F43455353204C4953545D205C6E$633A5C55736572735C5075626C69635C63722E646174$633A5C5C50726F6772616D446174615C5C24746D702E747874$636D642E657865202F6320$74732E646174$7C2A3F2928257D5E267B$<$>> $_$_$a$c$c$c$d$d$d$i$n$n$outlook-web.ddns.net$p$p$t$|$|-|
                        • API String ID: 163969156-3700135009
                        • Opcode ID: f91815ecfce99f776967d73470293dd5268675f18a1ed48f02e5e34f9808df4e
                        • Instruction ID: 526b2a0a3c68c2dad3853101b2f59770ce03f1411d57ee0b4dcabdc85bdb5089
                        • Opcode Fuzzy Hash: f91815ecfce99f776967d73470293dd5268675f18a1ed48f02e5e34f9808df4e
                        • Instruction Fuzzy Hash: 9D431C72D1022D9ADB35DB64CD91EDEB378AF54208F4109F6A589A2590EFB0A7CCCF50
                        Function 6C8DEA93 Relevance: 155.5, APIs: 25, Strings: 63, Instructions: 1459registryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1268 6c8dea93-6c8dead8 call 6c8e1e50 call 6c8d320c GetSystemDirectoryW 1273 6c8deb0c-6c8deb39 GetSystemInfo GetComputerNameW 1268->1273 1274 6c8deada-6c8deb07 call 6c8d4a5d call 6c8d3094 call 6c8d4149 1268->1274 1275 6c8deb3b-6c8deb4b call 6c8d4a5d 1273->1275 1276 6c8deb50-6c8debf4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8d4a5d call 6c8d4149 call 6c8d4162 1273->1276 1295 6c8e03d8-6c8e03e3 call 6c8e1e3e 1274->1295 1284 6c8debf9-6c8dec19 RegOpenKeyExW 1275->1284 1276->1284 1289 6c8dec4d-6c8ded4d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8d4a5d call 6c8e47a0 GetVersionExW GetModuleHandleA LoadStringW 1284->1289 1290 6c8dec1b-6c8dec48 call 6c8d4a5d call 6c8d3094 call 6c8d4149 1284->1290 1340 6c8dee08-6c8df2e1 call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e056b call 6c8e0479 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d RegCloseKey call 6c8e0834 GetPrivateProfileStringW call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d GetPrivateProfileStringW call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d 1289->1340 1341 6c8ded53-6c8dee03 wsprintfA call 6c8d4a5d * 3 wsprintfA call 6c8d4a5d * 2 wsprintfA call 6c8d4a5d * 2 1289->1341 1290->1295 1481 6c8df2f7-6c8df301 1340->1481 1482 6c8df2e3-6c8df2ea 1340->1482 1341->1340 1485 6c8df325-6c8df3c6 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d GetModuleHandleA LoadStringW 1481->1485 1483 6c8df2ec-6c8df2f3 1482->1483 1484 6c8df303-6c8df30d 1482->1484 1487 6c8df30f-6c8df319 1483->1487 1488 6c8df2f5-6c8df31b 1483->1488 1484->1485 1505 6c8df3c8-6c8df3de 1485->1505 1506 6c8df3f7-6c8df4b8 call 6c8e0834 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d 1485->1506 1487->1485 1488->1485 1507 6c8df3e0 1505->1507 1508 6c8df3e2 call 6c8e1d63 1505->1508 1530 6c8df4be-6c8df545 call 6c8e0834 * 2 call 6c8e05f9 1506->1530 1531 6c8df626-6c8df8d9 call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d GetLocaleInfoW 1506->1531 1510 6c8df3e7-6c8df3ef 1507->1510 1508->1510 1510->1506 1544 6c8df565-6c8df590 call 6c8e05f9 1530->1544 1545 6c8df547-6c8df55f 1530->1545 1632 6c8df8df-6c8df906 call 6c8e05f9 1531->1632 1633 6c8df9f7-6c8dfa1c call 6c8e05f9 1531->1633 1549 6c8df595-6c8df621 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1544->1549 1545->1544 1632->1633 1638 6c8df90c-6c8df929 call 6c8e0861 1632->1638 1639 6c8dfb50-6c8dfb7d GetTimeZoneInformation RegOpenKeyExW 1633->1639 1640 6c8dfa22-6c8dfa32 call 6c8ed20a 1633->1640 1650 6c8df95e-6c8df9f2 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1638->1650 1651 6c8df92b-6c8df958 SHLoadIndirectString 1638->1651 1642 6c8dfd08-6c8e0034 GlobalMemoryStatus call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 1639->1642 1643 6c8dfb83-6c8dfbd7 RegEnumKeyExW 1639->1643 1640->1639 1649 6c8dfa38-6c8dfa5f call 6c8e05f9 1640->1649 1818 6c8e003a-6c8e0041 1642->1818 1819 6c8e0143-6c8e015a NetGetJoinInformation 1642->1819 1653 6c8dfbdd-6c8dfc1a call 6c8e05f9 call 6c8ed81c 1643->1653 1654 6c8dfcfc-6c8dfd02 RegCloseKey 1643->1654 1649->1639 1665 6c8dfa65-6c8dfa82 call 6c8e0861 1649->1665 1650->1633 1651->1650 1672 6c8dfcf7 1653->1672 1673 6c8dfc20-6c8dfc3e call 6c8e05f9 1653->1673 1654->1642 1678 6c8dfa84-6c8dfab1 SHLoadIndirectString 1665->1678 1679 6c8dfab7-6c8dfb4b call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1665->1679 1672->1672 1682 6c8dfc43-6c8dfcdf call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1673->1682 1678->1679 1679->1639 1682->1654 1682->1672 1822 6c8e0050-6c8e0060 1818->1822 1820 6c8e0219-6c8e03d5 call 6c8d3094 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 1819->1820 1821 6c8e0160-6c8e0167 1819->1821 1820->1295 1823 6c8e0169-6c8e0170 1821->1823 1824 6c8e0176-6c8e0209 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1821->1824 1825 6c8e00aa-6c8e013e call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1822->1825 1826 6c8e0062-6c8e0073 1822->1826 1823->1824 1830 6c8e020e-6c8e0214 NetApiBufferFree 1823->1830 1824->1830 1825->1819 1832 6c8e00a8 1826->1832 1833 6c8e0075-6c8e008d 1826->1833 1830->1820 1832->1822 1838 6c8e008f 1833->1838 1839 6c8e0091 call 6c8e1d63 1833->1839 1843 6c8e0096-6c8e00a6 1838->1843 1839->1843 1843->1825
                        APIs
                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6C8DEAD0
                        • GetSystemInfo.KERNELBASE(?), ref: 6C8DEB13
                        • GetComputerNameW.KERNEL32(?,00000400), ref: 6C8DEB31
                        • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000101,?,6C904B84,00000000,?,?,?,?,?,?,?,6C8D51CF,?), ref: 6C8DEC11
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: System$ComputerDirectoryInfoNameOpen
                        • String ID: %s\oeminfo.ini$Available Physical Memory:$BIOS Date:$BIOSVENDOR$BIOSVENDOR:$BiosVersion:$Boot Device:$CurrentType$Display$Domain:$Error! GetComputerName failed.$Error! GetSystemDirectory failed.$Error! RegOpenKeyEx failed.$General$General$HARDWARE\DESCRIPTION\System$HARDWARE\DESCRIPTION\System$HARDWARE\DESCRIPTION\System\BIOS$HARDWARE\DESCRIPTION\System\CentralProcessor\%u$Host Name:$Identifier$Input Locale:$Install Date:$InstallDate$Keyboard Layout\Preload$MIME\Database\Rfc1766$MIME\Database\Rfc1766$Manufacturer$Model$OS Build Type :$OS Name:$OS Version :$Page File Location(s):$PagingFiles$Processor(s):$Product ID:$ProductId$ProductName$Registered Owner:$RegisteredOrganization$RegisteredOrganization:$RegisteredOwner$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones$SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management$SYSTEM\Setup$Std$System Locale:$System Manufacturer:$System Model:$System type:$SystemBiosDate$SystemBiosVersion$SystemPartition$Time zone:$To Be Filled By O.E.M.$To Be Filled By O.E.M.$Total Physical Memory:$VendorIdentifier$Virtual Memory: Available:$Virtual Memory: In Use:$Virtual Memory: Max Size:$[%02u]:
                        • API String ID: 1805411109-2676738833
                        • Opcode ID: 8207bbe70c777b42c627f071c8324f61cd7c0e2dd274ba62e1336a57466bfe8b
                        • Instruction ID: 629e078bff64b969d28ca8e44f8c79f723c35b7bed688229b81624331e52f29f
                        • Opcode Fuzzy Hash: 8207bbe70c777b42c627f071c8324f61cd7c0e2dd274ba62e1336a57466bfe8b
                        • Instruction Fuzzy Hash: 51D2F9719000699ACB35EB54CE90EDDB379EF65308F4109F9A10AB2960EF31AF99DF50
                        Function 6C8DCB90 Relevance: 65.6, APIs: 30, Strings: 7, Instructions: 882COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1953 6c8dcb90-6c8dcbbc CoInitializeEx 1954 6c8dcbbe-6c8dcbc1 1953->1954 1955 6c8dcbc6-6c8dcbeb CoInitializeSecurity 1953->1955 1956 6c8ddacc-6c8ddad9 call 6c8e1e3e 1954->1956 1957 6c8dcbed-6c8dcbf6 CoUninitialize 1955->1957 1958 6c8dcbfb-6c8dcc5a GetModuleFileNameW call 6c8d36c1 CoCreateInstance 1955->1958 1957->1956 1963 6c8dcc5c-6c8dcc7d CoUninitialize call 6c8d4162 1958->1963 1964 6c8dcc82-6c8dcd64 call 6c8d3b67 * 4 call 6c8d430a * 4 1958->1964 1963->1956 1984 6c8dcd9d-6c8dcdec call 6c8d3acf call 6c8d474f call 6c8d42f9 1964->1984 1985 6c8dcd66-6c8dcd98 CoUninitialize call 6c8d4162 1964->1985 1996 6c8dcdee-6c8dce20 CoUninitialize call 6c8d4162 1984->1996 1997 6c8dce25-6c8dce9b call 6c8d3acf call 6c8d474f call 6c8d42f9 1984->1997 1985->1956 1996->1956 2010 6c8dce9d-6c8dcecf CoUninitialize call 6c8d4162 1997->2010 2011 6c8dced4-6c8dcf00 1997->2011 2010->1956 2015 6c8dcf4a-6c8dcf9c call 6c8d3a76 call 6c8d474f call 6c8d42f9 2011->2015 2016 6c8dcf02-6c8dcf45 CoUninitialize call 6c8d4162 2011->2016 2030 6c8dcf9e-6c8dcfe1 CoUninitialize call 6c8d4162 2015->2030 2031 6c8dcfe6-6c8dd012 2015->2031 2016->1956 2030->1956 2034 6c8dd05c-6c8dd08d 2031->2034 2035 6c8dd014-6c8dd057 CoUninitialize call 6c8d4162 2031->2035 2044 6c8dd08f-6c8dd0d2 CoUninitialize call 6c8d4162 2034->2044 2045 6c8dd0d7-6c8dd103 2034->2045 2035->1956 2044->1956 2049 6c8dd14d-6c8dd17e 2045->2049 2050 6c8dd105-6c8dd148 CoUninitialize call 6c8d4162 2045->2050 2058 6c8dd1c8-6c8dd1f7 2049->2058 2059 6c8dd180-6c8dd1c3 CoUninitialize call 6c8d4162 2049->2059 2050->1956 2064 6c8dd1f9-6c8dd23c CoUninitialize call 6c8d4162 2058->2064 2065 6c8dd241-6c8dd293 call 6c8d3a76 call 6c8d474f call 6c8d42f9 2058->2065 2059->1956 2064->1956 2081 6c8dd2dd-6c8dd309 2065->2081 2082 6c8dd295-6c8dd2d8 CoUninitialize call 6c8d4162 2065->2082 2085 6c8dd30b-6c8dd34e CoUninitialize call 6c8d4162 2081->2085 2086 6c8dd353-6c8dd392 2081->2086 2082->1956 2085->1956 2094 6c8dd3dc-6c8dd41d 2086->2094 2095 6c8dd394-6c8dd3d7 CoUninitialize call 6c8d4162 2086->2095 2102 6c8dd41f-6c8dd462 CoUninitialize call 6c8d4162 2094->2102 2103 6c8dd467-6c8dd4fb call 6c8d3acf call 6c8d474f call 6c8d42f9 call 6c8d3acf call 6c8d474f call 6c8d42f9 2094->2103 2095->1956 2102->1956 2125 6c8dd4fd-6c8dd551 CoUninitialize call 6c8d4162 2103->2125 2126 6c8dd556-6c8dd593 2103->2126 2125->1956 2131 6c8dd5dd-6c8dd61e call 6c8d3acf call 6c8d474f call 6c8d42f9 2126->2131 2132 6c8dd595-6c8dd5d8 CoUninitialize call 6c8d4162 2126->2132 2147 6c8dd679-6c8dd6cb call 6c8d3acf call 6c8d474f call 6c8d42f9 2131->2147 2148 6c8dd620-6c8dd674 CoUninitialize call 6c8d4162 2131->2148 2132->1956 2162 6c8dd6cd-6c8dd710 CoUninitialize call 6c8d4162 2147->2162 2163 6c8dd715-6c8dd741 2147->2163 2148->1956 2162->1956 2166 6c8dd78b-6c8dd7ca 2163->2166 2167 6c8dd743-6c8dd786 CoUninitialize call 6c8d4162 2163->2167 2175 6c8dd7cc-6c8dd80f CoUninitialize call 6c8d4162 2166->2175 2176 6c8dd814-6c8dd855 2166->2176 2167->1956 2175->1956 2184 6c8dd89f-6c8dd8f8 call 6c8da908 call 6c8d3acf call 6c8d474f call 6c8d42f9 2176->2184 2185 6c8dd857-6c8dd89a CoUninitialize call 6c8d4162 2176->2185 2201 6c8dd8fa-6c8dd93d CoUninitialize call 6c8d4162 2184->2201 2202 6c8dd942-6c8dda34 call 6c8d3b28 call 6c8d3b67 * 2 call 6c8d3acf call 6c8d474f call 6c8d42f9 call 6c8d430a * 3 2184->2202 2185->1956 2201->1956 2226 6c8dda7b-6c8ddac1 CoUninitialize call 6c8d4162 2202->2226 2227 6c8dda36-6c8dda79 CoUninitialize call 6c8d4162 2202->2227 2236 6c8ddac6 2226->2236 2227->1956 2236->1956
                        APIs
                        • CoInitializeEx.COMBASE(00000000,00000000,?,74732E646174), ref: 6C8DCBA9
                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 6C8DCBD8
                        • CoUninitialize.OLE32 ref: 6C8DCBED
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Initialize$SecurityUninitialize
                        • String ID: 2018-01-01T00:00:00$74732E646174$MICROSOFT$PT1H$PT24H$PT5M$Trigger1
                        • API String ID: 3757020523-551846892
                        • Opcode ID: 0262020b9f52248821ae6b2630be7cac55ff0ca6aae0c0b62f5f75de1e0314f2
                        • Instruction ID: 34a6222d4b8b2edf84a1b2a2aa446f607ed478a4168510fe704580c5175e6f32
                        • Opcode Fuzzy Hash: 0262020b9f52248821ae6b2630be7cac55ff0ca6aae0c0b62f5f75de1e0314f2
                        • Instruction Fuzzy Hash: 6BA2AF35A05229EFCB61EF68DD8CB8CB7B1AF59315F1145E4E409AB660CB71AE85CF00
                        Function 6C8DE49B Relevance: 54.3, APIs: 16, Strings: 15, Instructions: 73libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2237 6c8de49b-6c8de4a9 2238 6c8de4ab 2237->2238 2239 6c8de4b0 call 6c8d7e8d 2237->2239 2240 6c8de5ff-6c8de603 2238->2240 2242 6c8de4b5-6c8de5fa GetProcAddress * 15 2239->2242 2242->2240
                        APIs
                        • ?GetFileVersionInfoByHandleEx@@YGHXZ.OLMAPI32(?,?,6C8E2118,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6C911EC0,0000000C,00000007,6C911E98), ref: 6C8DE4B0
                        • GetProcAddress.KERNEL32(GetFileVersionInfoA), ref: 6C8DE4C0
                        • GetProcAddress.KERNEL32(GetFileVersionInfoByHandle), ref: 6C8DE4D6
                        • GetProcAddress.KERNEL32(GetFileVersionInfoExW), ref: 6C8DE4EC
                        • GetProcAddress.KERNEL32(GetFileVersionInfoSizeA), ref: 6C8DE502
                        • GetProcAddress.KERNEL32(GetFileVersionInfoSizeExW), ref: 6C8DE518
                        • GetProcAddress.KERNEL32(GetFileVersionInfoSizeW), ref: 6C8DE52E
                        • GetProcAddress.KERNEL32(GetFileVersionInfoW), ref: 6C8DE544
                        • GetProcAddress.KERNEL32(VerFindFileA), ref: 6C8DE55A
                        • GetProcAddress.KERNEL32(VerFindFileW), ref: 6C8DE570
                        • GetProcAddress.KERNEL32(VerInstallFileA), ref: 6C8DE586
                        • GetProcAddress.KERNEL32(VerInstallFileW), ref: 6C8DE59C
                        • GetProcAddress.KERNEL32(VerLanguageNameA), ref: 6C8DE5B2
                        • GetProcAddress.KERNEL32(VerLanguageNameW), ref: 6C8DE5C8
                        • GetProcAddress.KERNEL32(VerQueryValueA), ref: 6C8DE5DE
                        • GetProcAddress.KERNEL32(VerQueryValueW), ref: 6C8DE5F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$Ex@@FileHandleInfoVersion
                        • String ID: GetFileVersionInfoA$GetFileVersionInfoByHandle$GetFileVersionInfoExW$GetFileVersionInfoSizeA$GetFileVersionInfoSizeExW$GetFileVersionInfoSizeW$GetFileVersionInfoW$VerFindFileA$VerFindFileW$VerInstallFileA$VerInstallFileW$VerLanguageNameA$VerLanguageNameW$VerQueryValueA$VerQueryValueW
                        • API String ID: 3596192317-236624654
                        • Opcode ID: f072896a3b02348bb7a272fdb9553e8c93e0909353785a1f3a2cbfd6befbd3db
                        • Instruction ID: e53535ee521f09cf2b35ecded4f048107fcc1d63a5eaadbc3567a4ebcff32684
                        • Opcode Fuzzy Hash: f072896a3b02348bb7a272fdb9553e8c93e0909353785a1f3a2cbfd6befbd3db
                        • Instruction Fuzzy Hash: 7231207471A924EFDF217FA0CA088263FB5F767742321062DB909A6620E7315A20FF48
                        Function 2DE174DE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 61memorylibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleHandleW.KERNEL32(kernel32.dll,HeapSetInformation), ref: 2DE174F1
                        • GetProcAddress.KERNEL32(00000000), ref: 2DE174F8
                        • GetProcessHeap.KERNEL32(00000001,00000000,00000000), ref: 2DE1750A
                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 2DE17517
                        • GetCurrentProcessId.KERNEL32 ref: 2DE17523
                        • GetCurrentThreadId.KERNEL32 ref: 2DE1752B
                        • GetTickCount.KERNEL32 ref: 2DE17533
                        • QueryPerformanceCounter.KERNEL32(?), ref: 2DE1753F
                        • VirtualProtect.KERNELBASE(2DE032CC,00000004,00000040,?), ref: 2DE17561
                        • VirtualProtect.KERNELBASE(2DE032CC,00000004,?,?), ref: 2DE17581
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectTimeVirtual$AddressCountCounterFileHandleHeapModulePerformanceProcQuerySystemThreadTick
                        • String ID: HeapSetInformation$kernel32.dll
                        • API String ID: 2966426798-3597996958
                        • Opcode ID: 5ac41d8e3d28cc468847c5eea9df34e449443920141bdb95cdfff572bc11dd1b
                        • Instruction ID: abf493660a71ce8ec7c99d90046e81815dfaf38e62c8f3643371ce2a7650bd3f
                        • Opcode Fuzzy Hash: 5ac41d8e3d28cc468847c5eea9df34e449443920141bdb95cdfff572bc11dd1b
                        • Instruction Fuzzy Hash: 261121B7D00214ABC710ABB0CC49B9E77F8AB08B56F420551FA42FB241DA75DA01CBA4
                        Function 6C8D7E9F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67processCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C8D7EB6
                        • Process32First.KERNEL32(000000FF,00000128), ref: 6C8D7EF6
                        • CloseHandle.KERNEL32(000000FF,00000002,00000000), ref: 6C8D7F05
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                        • String ID: ERROR$ERROR
                        • API String ID: 1083639309-2579291623
                        • Opcode ID: a95d703a53c0c058863904cc0947bf2bcfc29bfc1955ab9b1c5f65cfe8e3dd9b
                        • Instruction ID: 7697f07892553eb9d7a520f610ebe72598f5d72a68a11f534e12970435c0934a
                        • Opcode Fuzzy Hash: a95d703a53c0c058863904cc0947bf2bcfc29bfc1955ab9b1c5f65cfe8e3dd9b
                        • Instruction Fuzzy Hash: 4F212F30A00218EBCB34DF65DE40BDD7774AF59305F1149B8A519A6AA0DB30AE89CF40
                        Function 2DE03E45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 2DE03E58
                        • GetLastError.KERNEL32 ref: 2DE03E8E
                        Strings
                        • IsolationAware function called after IsolationAwareCleanup, xrefs: 2DE03E53
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: DebugErrorLastOutputString
                        • String ID: IsolationAware function called after IsolationAwareCleanup
                        • API String ID: 4132100945-2690750368
                        • Opcode ID: 4f7ed09b74f1d6dacb50aa306d3edb595997ddf75352d858c255c980011f5f0d
                        • Instruction ID: 527cd5ec6fc51f33c58d2766b730fd58c3500574e357dd278dc4eea3d0efc616
                        • Opcode Fuzzy Hash: 4f7ed09b74f1d6dacb50aa306d3edb595997ddf75352d858c255c980011f5f0d
                        • Instruction Fuzzy Hash: FFF09032A083248B8715AFA5890077EB6E5D705F977140226F7A6F0600CF75C852DBE5
                        Function 6C8D80D7 Relevance: 2.7, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressCall2ClientHandleModuleProc__fread_nolock
                        • String ID: %02X$outlook-web.ddns.net
                        • API String ID: 3264646418-2483746315
                        • Opcode ID: ee644dc9bb411605fe755cbaef7909965d9cc393d12c73f4292f7587e374d0cf
                        • Instruction ID: ac6d87de7b8aa7645141c6c39d7b2338c5dd52b14bb20461fd29782e9b4f50f7
                        • Opcode Fuzzy Hash: ee644dc9bb411605fe755cbaef7909965d9cc393d12c73f4292f7587e374d0cf
                        • Instruction Fuzzy Hash: 4181E231A08055CFCB19CB69C952BADB7F6FB4E308F15846ED992E7681C734A901CF84
                        Function 6C8DFB96 Relevance: 30.2, APIs: 5, Strings: 12, Instructions: 457registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2243 6c8dfb96-6c8dfbd7 RegEnumKeyExW 2245 6c8dfbdd-6c8dfc1a call 6c8e05f9 call 6c8ed81c 2243->2245 2246 6c8dfcfc-6c8e0034 RegCloseKey GlobalMemoryStatus call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 2243->2246 2255 6c8dfcf7 2245->2255 2256 6c8dfc20-6c8dfcdf call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 2245->2256 2368 6c8e003a-6c8e0041 2246->2368 2369 6c8e0143-6c8e015a NetGetJoinInformation 2246->2369 2255->2255 2256->2246 2256->2255 2372 6c8e0050-6c8e0060 2368->2372 2370 6c8e0219-6c8e03e3 call 6c8d3094 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8e1e3e 2369->2370 2371 6c8e0160-6c8e0167 2369->2371 2373 6c8e0169-6c8e0170 2371->2373 2374 6c8e0176-6c8e0209 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 2371->2374 2375 6c8e00aa-6c8e013e call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 2372->2375 2376 6c8e0062-6c8e0073 2372->2376 2373->2374 2380 6c8e020e-6c8e0214 NetApiBufferFree 2373->2380 2374->2380 2375->2369 2382 6c8e00a8 2376->2382 2383 6c8e0075-6c8e008d 2376->2383 2380->2370 2382->2372 2388 6c8e008f 2383->2388 2389 6c8e0091 call 6c8e1d63 2383->2389 2393 6c8e0096-6c8e00a6 2388->2393 2389->2393 2393->2375
                        APIs
                        • RegEnumKeyExW.KERNELBASE(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 6C8DFBCF
                        • RegCloseKey.ADVAPI32(?), ref: 6C8DFD02
                        • GlobalMemoryStatus.KERNEL32(?), ref: 6C8DFD0F
                          • Part of subcall function 6C8E05F9: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000101,?,?,00000000), ref: 6C8E062C
                          • Part of subcall function 6C8E05F9: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000), ref: 6C8E0650
                          • Part of subcall function 6C8E05F9: RegCloseKey.KERNELBASE(00000006), ref: 6C8E0689
                          • Part of subcall function 6C8E03E4: GetNumberFormatW.KERNEL32(00000800,00000000,?,00000000,?,000003FD), ref: 6C8E0441
                        • NetGetJoinInformation.NETAPI32(00000000,?,?,?,00000000,?,00000000,?), ref: 6C8E0153
                        • NetApiBufferFree.NETAPI32(?,6C905408,?,Domain:,00000000,?,00000000,?,00000000,?), ref: 6C8E0214
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Close$BufferEnumFormatFreeGlobalInformationJoinMemoryNumberOpenQueryStatusValue
                        • String ID: Available Physical Memory:$Display$Domain:$Page File Location(s):$PagingFiles$SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management$Std$Time zone:$Total Physical Memory:$Virtual Memory: Available:$Virtual Memory: In Use:$Virtual Memory: Max Size:
                        • API String ID: 369352865-1736252339
                        • Opcode ID: 65c1270ce9cb196cc0c3ce30115308c1f24eb4a254fcbfe976e27f29cf07cebb
                        • Instruction ID: c043fef11c118bd54a1e68b5ad4d18ade83cf3639b0c8c706722672764f93f81
                        • Opcode Fuzzy Hash: 65c1270ce9cb196cc0c3ce30115308c1f24eb4a254fcbfe976e27f29cf07cebb
                        • Instruction Fuzzy Hash: E212FC318110699ACF35EB68CE90DDDB379AF95348F4109F9A10AA2960EF306F9DDF50
                        Function 2DE03C77 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2511 2de03c77-2de03c94 call 2de178c5 2514 2de03c9a-2de03ca1 2511->2514 2515 2de03e2b-2de03e2d 2511->2515 2514->2515 2516 2de03ca7-2de03cae 2514->2516 2517 2de03e2e-2de03e35 call 2de1790d 2515->2517 2518 2de03cb0-2de03cc1 call 2de038b7 2516->2518 2519 2de03cc7-2de03ce3 2516->2519 2518->2517 2518->2519 2519->2517 2525 2de03ce9-2de03cf1 2519->2525 2526 2de03cf7-2de03d03 call 2de038b7 2525->2526 2527 2de03ddb-2de03def call 2de03c05 2525->2527 2526->2517 2532 2de03d09-2de03d17 2526->2532 2527->2515 2533 2de03df1-2de03e16 call 2de03c51 2527->2533 2532->2517 2537 2de03d1d-2de03d41 GetModuleFileNameW 2532->2537 2538 2de03e18-2de03e19 LoadLibraryW 2533->2538 2539 2de03e1f-2de03e26 call 2de03e38 2533->2539 2537->2517 2540 2de03d47-2de03d4b 2537->2540 2538->2539 2539->2515 2542 2de03d5a-2de03d97 call 2de03bdc 2540->2542 2543 2de03d4d-2de03d55 SetLastError 2540->2543 2545 2de03d9c-2de03da5 2542->2545 2543->2517 2546 2de03dd1 2545->2546 2547 2de03da7-2de03db2 GetLastError 2545->2547 2546->2527 2548 2de03db4-2de03db9 2547->2548 2549 2de03dc9-2de03dcb 2547->2549 2548->2549 2550 2de03dbb-2de03dc0 2548->2550 2549->2546 2550->2549 2551 2de03dc2-2de03dc7 2550->2551 2551->2517 2551->2549
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 2DE03D39
                        • SetLastError.KERNEL32(0000006F), ref: 2DE03D4F
                        • GetLastError.KERNEL32 ref: 2DE03DA7
                        • LoadLibraryW.KERNELBASE(Comctl32.dll), ref: 2DE03E19
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$FileLibraryLoadModuleName
                        • String ID: $@$Comctl32.dll$GetModuleHandleExW$QueryActCtxW
                        • API String ID: 2178654626-2626125606
                        • Opcode ID: 97e74fdcb0b57d66c85690f563f94ca4b38ed0024d4d6e5f46bb0ac998f6ff87
                        • Instruction ID: 4a448aeae9a162b8c916a73a19ce401ab2f0d65dcee8bd01de611009da70ed5a
                        • Opcode Fuzzy Hash: 97e74fdcb0b57d66c85690f563f94ca4b38ed0024d4d6e5f46bb0ac998f6ff87
                        • Instruction Fuzzy Hash: A741C3319093249ADB609B65CC88BED77B4EF94B16F100399E249F6190DF788A81CF55
                        Function 6C8EDA0B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2575 6c8eda0b-6c8eda19 2576 6c8eda2e-6c8eda3e 2575->2576 2577 6c8eda1b-6c8eda2c call 6c8e6bae call 6c8e692f 2575->2577 2578 6c8eda53-6c8eda59 2576->2578 2579 6c8eda40-6c8eda51 call 6c8e6bae call 6c8e692f 2576->2579 2597 6c8eda81-6c8eda83 2577->2597 2583 6c8eda5b 2578->2583 2584 6c8eda61-6c8eda67 2578->2584 2602 6c8eda80 2579->2602 2587 6c8eda5d-6c8eda5f 2583->2587 2588 6c8eda73-6c8eda7d call 6c8e6bae 2583->2588 2589 6c8eda69 2584->2589 2590 6c8eda84-6c8eda9e call 6c8f75c2 call 6c8f69fc 2584->2590 2587->2584 2587->2588 2600 6c8eda7f 2588->2600 2589->2588 2595 6c8eda6b-6c8eda71 2589->2595 2604 6c8edc8f-6c8edca9 call 6c8e695c call 6c8f6cbd 2590->2604 2605 6c8edaa4-6c8edab0 call 6c8f6a28 2590->2605 2595->2588 2595->2590 2600->2602 2602->2597 2617 6c8edcbe-6c8edcc0 2604->2617 2618 6c8edcab-6c8edcaf call 6c8eda0b 2604->2618 2605->2604 2611 6c8edab6-6c8edac2 call 6c8f6a54 2605->2611 2611->2604 2616 6c8edac8-6c8edadd 2611->2616 2619 6c8edadf 2616->2619 2620 6c8edb4d-6c8edb58 call 6c8f6cfb 2616->2620 2625 6c8edcb4-6c8edcbc 2618->2625 2622 6c8edae9-6c8edb05 call 6c8f6cfb 2619->2622 2623 6c8edae1-6c8edae7 2619->2623 2620->2600 2628 6c8edb5e-6c8edb69 2620->2628 2622->2600 2632 6c8edb0b-6c8edb0e 2622->2632 2623->2620 2623->2622 2625->2617 2630 6c8edb6b-6c8edb74 call 6c8f761f 2628->2630 2631 6c8edb85 2628->2631 2630->2631 2640 6c8edb76-6c8edb83 2630->2640 2634 6c8edb88-6c8edb9c call 6c902fb0 2631->2634 2635 6c8edc88-6c8edc8a 2632->2635 2636 6c8edb14-6c8edb1d call 6c8f761f 2632->2636 2643 6c8edb9e-6c8edba6 2634->2643 2644 6c8edba9-6c8edbd0 call 6c902f00 call 6c902fb0 2634->2644 2635->2600 2636->2635 2645 6c8edb23-6c8edb3b call 6c8f6cfb 2636->2645 2640->2634 2643->2644 2653 6c8edbde-6c8edc05 call 6c902f00 call 6c902fb0 2644->2653 2654 6c8edbd2-6c8edbdb 2644->2654 2645->2600 2650 6c8edb41-6c8edb48 2645->2650 2650->2635 2659 6c8edc07-6c8edc10 2653->2659 2660 6c8edc13-6c8edc22 call 6c902f00 2653->2660 2654->2653 2659->2660 2663 6c8edc4a-6c8edc68 2660->2663 2664 6c8edc24 2660->2664 2665 6c8edc6a-6c8edc83 2663->2665 2666 6c8edc85 2663->2666 2667 6c8edc2a-6c8edc3e 2664->2667 2668 6c8edc26-6c8edc28 2664->2668 2665->2635 2666->2635 2667->2635 2668->2667 2669 6c8edc40-6c8edc42 2668->2669 2669->2635 2670 6c8edc44 2669->2670 2670->2663 2671 6c8edc46-6c8edc48 2670->2671 2671->2635 2671->2663
                        APIs
                        • __allrem.LIBCMT ref: 6C8EDB93
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8EDBAF
                        • __allrem.LIBCMT ref: 6C8EDBC6
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8EDBE4
                        • __allrem.LIBCMT ref: 6C8EDBFB
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8EDC19
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID: 74732E646174
                        • API String ID: 1992179935-138923103
                        • Opcode ID: 94d0e94a8f46061bbfe044791ce4e181156ba776a5c7f4a890ea9cae3aa4525e
                        • Instruction ID: 72014c4ff83479da2e2638c78fcae1d52f8342a43993aab490f89b544408e354
                        • Opcode Fuzzy Hash: 94d0e94a8f46061bbfe044791ce4e181156ba776a5c7f4a890ea9cae3aa4525e
                        • Instruction Fuzzy Hash: FE812B716007159BE3309E6CCE40B9A73A9DFCA7A8F148A3FE510D7B80EB70DA098750
                        Function 6C8E08DC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 61libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleHandleA.KERNEL32(RPCRT4.dll), ref: 6C8E08F4
                        • GetProcAddress.KERNEL32(000000FF,?), ref: 6C8E0974
                        • NdrClientCall2.RPCRT4(6C9054A8,-6C905435,?), ref: 6C8E09A1
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressCall2ClientHandleModuleProc
                        • String ID: NdrC$RPCRT4.dll$all2$lientC
                        • API String ID: 614992055-1156160658
                        • Opcode ID: 7e4113a07029494f8ad52ec0521a36e49a0def259925514dd37d70b8cb5c877d
                        • Instruction ID: c91804c25a85e8ea23aa3fc6dc10386cbe4a5fc1bd324d9039a7f068072e85d6
                        • Opcode Fuzzy Hash: 7e4113a07029494f8ad52ec0521a36e49a0def259925514dd37d70b8cb5c877d
                        • Instruction Fuzzy Hash: AE211F75E04258DFDB10DFA4C946BDD7BB8AB4E204F1089AAD51AF6640E7309B48DF21
                        Function 2DE050C9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2683 2de050c9-2de050d9 GetModuleHandleW 2684 2de0510a-2de0510b 2683->2684 2685 2de050db-2de050f7 GetProcAddress * 2 2683->2685 2686 2de05108-2de05109 2685->2686 2687 2de050f9-2de050fe 2685->2687 2686->2684 2687->2686 2689 2de05100-2de05102 2687->2689 2689->2686 2690 2de05104-2de05106 SetProcessDEPPolicy 2689->2690 2690->2686
                        APIs
                        • GetModuleHandleW.KERNEL32(KERNEL32), ref: 2DE050CF
                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 2DE050E9
                        • GetProcAddress.KERNEL32(00000000,GetSystemDEPPolicy), ref: 2DE050F3
                        • SetProcessDEPPolicy.KERNEL32(00000001), ref: 2DE05106
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModulePolicyProcess
                        • String ID: GetSystemDEPPolicy$KERNEL32$SetProcessDEPPolicy
                        • API String ID: 3256987805-2000083379
                        • Opcode ID: 65ded2f1829e9e66ef7d8077a9ecd5e414f64ba099834ed8ba9d74fbec52d4cf
                        • Instruction ID: f2df36c6b64b63516e6bc1c9e43c0d7bd62a94cfa4d811259a97d2892a6e7fee
                        • Opcode Fuzzy Hash: 65ded2f1829e9e66ef7d8077a9ecd5e414f64ba099834ed8ba9d74fbec52d4cf
                        • Instruction Fuzzy Hash: 91E08C32605B113AD60062F95CC4FBB6AF89FE99ABB100526FA01F620ACE95D411C5A2
                        Function 6C8E1FF8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2691 6c8e1ff8-6c8e200b call 6c8e2890 2694 6c8e200d-6c8e200f 2691->2694 2695 6c8e2011-6c8e2033 call 6c8e2245 2691->2695 2696 6c8e207a-6c8e2089 2694->2696 2699 6c8e2035-6c8e2078 call 6c8e2310 call 6c8e26d6 call 6c8e285a call 6c8e208d call 6c8e24b1 call 6c8e209a 2695->2699 2700 6c8e20a0-6c8e20b9 call 6c8e270b call 6c8e2890 2695->2700 2699->2696 2712 6c8e20ca-6c8e20d1 2700->2712 2713 6c8e20bb-6c8e20c1 2700->2713 2716 6c8e20dd-6c8e20f1 dllmain_raw 2712->2716 2717 6c8e20d3-6c8e20d6 2712->2717 2713->2712 2714 6c8e20c3-6c8e20c5 2713->2714 2718 6c8e21a3-6c8e21b2 2714->2718 2721 6c8e219a-6c8e21a1 2716->2721 2722 6c8e20f7-6c8e2108 dllmain_crt_dispatch 2716->2722 2717->2716 2720 6c8e20d8-6c8e20db 2717->2720 2724 6c8e210e-6c8e2113 call 6c8de49b 2720->2724 2721->2718 2722->2721 2722->2724 2728 6c8e2118-6c8e2120 2724->2728 2730 6c8e2149-6c8e214b 2728->2730 2731 6c8e2122-6c8e2124 2728->2731 2732 6c8e214d-6c8e2150 2730->2732 2733 6c8e2152-6c8e2163 dllmain_crt_dispatch 2730->2733 2731->2730 2734 6c8e2126-6c8e2144 call 6c8de49b call 6c8e1ff8 dllmain_raw 2731->2734 2732->2721 2732->2733 2733->2721 2735 6c8e2165-6c8e2197 dllmain_raw 2733->2735 2734->2730 2735->2721
                        APIs
                        • __RTC_Initialize.LIBCMT ref: 6C8E203F
                        • ___scrt_uninitialize_crt.LIBCMT ref: 6C8E2059
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Initialize___scrt_uninitialize_crt
                        • String ID:
                        • API String ID: 2442719207-0
                        • Opcode ID: d30657f23192f3f9fabb32c9287ee10b359f23dffd83b2fd9d414469b4c6306f
                        • Instruction ID: 7808d35ea3dd8998f4e9cd21bbd1eaa33e8ba8573b4c57d838a6f62d78f2d2d3
                        • Opcode Fuzzy Hash: d30657f23192f3f9fabb32c9287ee10b359f23dffd83b2fd9d414469b4c6306f
                        • Instruction Fuzzy Hash: 7E41EA72D0462AEBDB309F59CE08B9E7B75FB4B768F104D25E81967B40C7389A05CB90
                        Function 2DE16528 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2741 2de16528-2de16559 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z call 2de171bb 2744 2de16591-2de165a2 call 2de170d1 call 2de15923 2741->2744 2745 2de1655b-2de16564 2741->2745 2752 2de165a4-2de165ac free 2744->2752 2753 2de165af-2de165b4 2744->2753 2745->2744 2749 2de16566-2de16568 2745->2749 2782 2de1656a call 2de181e3 2749->2782 2783 2de1656a call 2de18244 2749->2783 2784 2de1656a call 2de18224 2749->2784 2785 2de1656a call 2de181c9 2749->2785 2786 2de1656a call 2de050c9 2749->2786 2787 2de1656a call 2de1820a 2749->2787 2788 2de1656a call 2de181f0 2749->2788 2789 2de1656a call 2de18254 2749->2789 2790 2de1656a call 2de18234 2749->2790 2791 2de1656a call 2de18217 2749->2791 2792 2de1656a call 2de181d6 2749->2792 2793 2de1656a call 2de181fd 2749->2793 2794 2de1656a call 2de181bc 2749->2794 2795 2de1656a call 2de1819e 2749->2795 2752->2753 2755 2de165b6-2de165b8 call 2de13008 2753->2755 2756 2de165bd-2de165c5 2753->2756 2754 2de1656d-2de1656f 2757 2de16571-2de16574 2754->2757 2758 2de16587-2de16589 2754->2758 2755->2756 2762 2de165c7-2de165c9 call 2de13008 2756->2762 2763 2de165ce-2de165d6 2756->2763 2760 2de16576-2de16579 2757->2760 2761 2de1657e-2de16585 2757->2761 2767 2de1658e 2758->2767 2760->2761 2761->2767 2762->2763 2765 2de165d8-2de165da call 2de13008 2763->2765 2766 2de165df-2de165e7 2763->2766 2765->2766 2770 2de165f0-2de165f8 2766->2770 2771 2de165e9-2de165eb call 2de13008 2766->2771 2767->2744 2773 2de16601-2de1662b call 2de1641b * 2 call 2de166b3 2770->2773 2774 2de165fa-2de165fc call 2de13008 2770->2774 2771->2770 2774->2773 2782->2754 2783->2754 2784->2754 2785->2754 2786->2754 2787->2754 2788->2754 2789->2754 2790->2754 2791->2754 2792->2754 2793->2754 2794->2754 2795->2754
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Mailbox$?_set_new_handler@@_setmbcpfree
                        • String ID:
                        • API String ID: 2556944153-0
                        • Opcode ID: 6af910436fbf5c720a7919511e3d48fdfbc5420c8bf4f35e033a9d1fa9ecf0ad
                        • Instruction ID: df05ffe40137f81d467fc9d5efd219c420521f51f37c70c22b2472e2ec13b6fc
                        • Opcode Fuzzy Hash: 6af910436fbf5c720a7919511e3d48fdfbc5420c8bf4f35e033a9d1fa9ecf0ad
                        • Instruction Fuzzy Hash: 963135B0300A009BCB259F68C450A6EBBF2FF98710F104A1CE686B7694DF32ED41CB90
                        Function 6C8D7AE4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195sleepfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2796 6c8d7ae4 2797 6c8d7b85 2796->2797 2798 6c8d7a63-6c8d7a66 2797->2798 2799 6c8d7a6c-6c8d7a73 2798->2799 2800 6c8d7b8a-6c8d7bbb call 6c8da8f7 call 6c8e8f90 call 6c8e1c3c 2798->2800 2802 6c8d7ae9-6c8d7b7f call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 2799->2802 2803 6c8d7a75-6c8d7adf call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 2799->2803 2820 6c8d7bbd-6c8d7bc4 2800->2820 2821 6c8d7bc6-6c8d7bd6 2800->2821 2802->2797 2803->2800 2824 6c8d7bdc-6c8d7bed call 6c8d4149 * 2 2820->2824 2821->2824 2836 6c8d7bf2-6c8d7c19 call 6c8d4a73 call 6c8d4149 * 3 2824->2836 2849 6c8d7c1e-6c8d7c29 Sleep 2836->2849 2850 6c8d7c37-6c8d7ced call 6c8d4149 * 2 call 6c8d4218 * 2 call 6c8d4149 * 2 RpcStringFreeA 2849->2850 2864 6c8d7cef-6c8d7cf5 call 6c8e6ee3 2850->2864 2865 6c8d7cfa-6c8d7d01 2850->2865 2864->2865 2867 6c8d7d0e 2865->2867 2868 6c8d7d03-6c8d7d09 call 6c8e6ee3 2865->2868 2871 6c8d5867-6c8d58bc call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 2867->2871 2872 6c8d7d13-6c8d7e68 call 6c8d4149 * 31 2867->2872 2868->2867 2886 6c8d5a41-6c8d5e00 RpcStringBindingComposeA RpcBindingFromStringBindingA call 6c8d44b1 * 2 call 6c8d15ca call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8e47a0 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d326b call 6c8d30d6 call 6c8d7fae call 6c8d320c call 6c8db564 call 6c8da89f call 6c8d2881 call 6c8da495 call 6c8d3862 call 6c8da495 call 6c8d3862 call 6c8d320c * 2 call 6c8dba9b 2871->2886 2887 6c8d58c2-6c8d58c9 2871->2887 3060 6c8d7e73-6c8d7e8c call 6c8e1e3e 2872->3060 3061 6c8d7e6e call 6c8d4149 2872->3061 3042 6c8d5e06-6c8d5e1d call 6c8d46fe 2886->3042 3043 6c8d5fc3-6c8d5fd0 call 6c8dc89e 2886->3043 2887->2886 2890 6c8d58cf-6c8d5a3c call 6c8d4149 * 32 2887->2890 2890->3060 3057 6c8d5eb0-6c8d5ebd call 6c8dba9b 3042->3057 3058 6c8d5e23-6c8d5eab call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 3042->3058 3055 6c8d7c2b-6c8d7c31 Sleep 3043->3055 3056 6c8d5fd6-6c8d5ff7 call 6c8d4714 call 6c8d14f6 3043->3056 3055->2850 3080 6c8d5ffd-6c8d60ae call 6c8d30d6 call 6c8da8f7 call 6c8e8f90 call 6c8da8f7 CreateFileA call 6c8d4714 call 6c8da8f7 WriteFile CloseHandle call 6c8d4714 call 6c8da8f7 call 6c8ed4f0 call 6c8d4149 3056->3080 3081 6c8d60b3-6c8d60d4 call 6c8d4714 call 6c8d14f6 3056->3081 3071 6c8d5fbe 3057->3071 3072 6c8d5ec3-6c8d5fb3 call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8d44b1 * 2 call 6c8d4149 3057->3072 3058->3071 3061->3060 3072->3071 3199 6c8d5fb9 call 6c8d4149 3072->3199 3080->2849 3108 6c8d60da-6c8d6211 call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 3081->3108 3109 6c8d6361-6c8d6382 call 6c8d4714 call 6c8d14f6 3081->3109 3333 6c8d6218-6c8d621b 3108->3333 3131 6c8d6388-6c8d6396 call 6c8dc89e 3109->3131 3132 6c8d72c2-6c8d72e3 call 6c8d4714 call 6c8d14f6 3109->3132 3149 6c8d72bd 3131->3149 3150 6c8d639c-6c8d63de call 6c8d4714 call 6c8d30d6 call 6c8d4714 call 6c8d30d6 call 6c8d320c 3131->3150 3162 6c8d72e9-6c8d73a2 call 6c8e47a0 call 6c8d320c call 6c8d30d6 call 6c8d4a5d call 6c8d4714 call 6c8d4a2e call 6c8d4a5d call 6c8da495 call 6c8d4714 call 6c8d2e9d call 6c8d4676 3132->3162 3163 6c8d7556-6c8d7577 call 6c8d4714 call 6c8d14f6 3132->3163 3149->2849 3213 6c8d63e5-6c8d63fb call 6c8d46fe 3150->3213 3300 6c8d73a8-6c8d7442 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3162->3300 3301 6c8d7447-6c8d74f0 call 6c8da8f7 WinExec call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3162->3301 3194 6c8d757d-6c8d75c9 call 6c8e47a0 call 6c8d320c call 6c8d4714 call 6c8dc9e5 3163->3194 3195 6c8d7763-6c8d7784 call 6c8d4714 call 6c8d14f6 3163->3195 3241 6c8d75cf-6c8d7679 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3194->3241 3242 6c8d767e-6c8d7713 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3194->3242 3195->2849 3220 6c8d778a-6c8d787a call 6c8d30d6 * 2 call 6c8d4714 call 6c8d16a1 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8da8f7 WinExec Sleep call 6c8d320c call 6c8da495 call 6c8d2e9d call 6c8d47d5 3195->3220 3199->3071 3229 6c8d63fd-6c8d6414 call 6c8d46fe 3213->3229 3230 6c8d6447-6c8d668d call 6c8d30d6 call 6c8d4714 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8e47a0 call 6c8d320c call 6c8d15ca call 6c8d1584 * 6 call 6c8d15a7 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8da8f7 call 6c8e792e 3213->3230 3220->2836 3408 6c8d7880-6c8d7a5c call 6c8dc498 call 6c8ddada call 6c8d472f call 6c8dc498 call 6c8e1c33 call 6c8dc2be call 6c8d44b1 call 6c8daaa8 call 6c8d4a5d call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 3220->3408 3250 6c8d6438-6c8d6445 3229->3250 3251 6c8d6416-6c8d6433 call 6c8d46fe call 6c8d4a44 3229->3251 3540 6c8d677f-6c8d6799 call 6c8d1516 3230->3540 3541 6c8d6693-6c8d677a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 3230->3541 3375 6c8d7718-6c8d775e call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 3241->3375 3242->3375 3250->3213 3251->3250 3440 6c8d74f5-6c8d7551 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4a73 call 6c8d4149 * 2 3300->3440 3301->3440 3334 6c8d6346-6c8d635c call 6c8d4149 * 2 3333->3334 3335 6c8d6221-6c8d6228 3333->3335 3334->2849 3342 6c8d622a-6c8d629b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 3335->3342 3343 6c8d62a5-6c8d6341 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 3335->3343 3342->3334 3343->3333 3375->2849 3408->2798 3440->2849 3549 6c8d679f-6c8d67b3 3540->3549 3550 6c8d727b-6c8d72b8 call 6c8d4149 * 6 3540->3550 3541->3550 3553 6c8d67b5-6c8d67bb 3549->3553 3554 6c8d67c1-6c8d6834 call 6c8e47a0 call 6c8e1c33 * 2 3549->3554 3550->3149 3553->3554 3581 6c8d683b-6c8d683e 3554->3581 3582 6c8d6afd-6c8d6d2a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8ed4f0 call 6c8d320c call 6c8d4a0a call 6c8d4149 call 6c8ddbbe call 6c8d14f6 3581->3582 3583 6c8d6844-6c8d6a0b call 6c8d320c call 6c8ddba9 call 6c8d15ca call 6c8d1584 * 4 call 6c8d15a7 call 6c8d156a call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae 3581->3583 3733 6c8d6d2c-6c8d6d44 call 6c8d1540 3582->3733 3734 6c8d6d50-6c8d6d6a call 6c8d1516 3582->3734 3706 6c8d6a1a-6c8d6a30 3583->3706 3708 6c8d6a5b-6c8d6a79 3706->3708 3709 6c8d6a32-6c8d6a59 3706->3709 3712 6c8d6a7b-6c8d6aa0 call 6c8d4149 * 2 3708->3712 3713 6c8d6aa4-6c8d6ab5 3708->3713 3709->3706 3712->3582 3717 6c8d6ab7-6c8d6ac1 3713->3717 3718 6c8d6ac3-6c8d6acf 3713->3718 3719 6c8d6ad5-6c8d6af8 call 6c8d4149 * 2 3717->3719 3718->3719 3719->3581 3733->3734 3739 6c8d6d46 3733->3739 3740 6c8d6ec7-6c8d6ee2 call 6c8da8f7 PathFileExistsA 3734->3740 3741 6c8d6d70-6c8d6d88 call 6c8d1540 3734->3741 3739->3734 3746 6c8d6f04-6c8d6f0b 3740->3746 3747 6c8d6ee4-6c8d6ef8 call 6c8da8f7 DeleteFileA 3740->3747 3741->3740 3748 6c8d6d8e-6c8d6ec2 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 3741->3748 3751 6c8d717e-6c8d7225 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3746->3751 3752 6c8d6f11-6c8d6f8e call 6c8da8f7 CreateFileA WriteFile CloseHandle call 6c8d44b1 call 6c8da8f7 PathFileExistsA 3746->3752 3747->3746 3758 6c8d6efa 3747->3758 3838 6c8d722a-6c8d7276 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 * 2 3748->3838 3751->3838 3773 6c8d6f94-6c8d702e call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3752->3773 3774 6c8d7033-6c8d703a 3752->3774 3758->3746 3867 6c8d7179 3773->3867 3779 6c8d70df-6c8d7174 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3774->3779 3780 6c8d7040-6c8d70da call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3774->3780 3779->3867 3780->3867 3838->3550 3867->3838
                        APIs
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • _strcat.LIBCMT ref: 6C8D7ABD
                        • _strcat.LIBCMT ref: 6C8D7B2D
                        • _strncpy.LIBCMT ref: 6C8D7B5F
                        • Sleep.KERNEL32(00003A98,?,?,?,?,?,?,6C9042B6,6C9042A7,0000000C,0000000C,?,?,6C934458), ref: 6C8D7C23
                        • Sleep.KERNEL32(?,6C9042B6,6C9042A7,0000000C,0000000C,?,?,6C934458), ref: 6C8D7C31
                        • RpcStringFreeA.RPCRT4(?), ref: 6C8D7CDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Sleep_strcat$CreateFileFreeString_strncpy
                        • String ID: d
                        • API String ID: 2099396881-2564639436
                        • Opcode ID: 74a8efbd481e36517c7b804c19a520793e4418e79ea70e317d1c4bc0eb0c5a55
                        • Instruction ID: cab01d362a9e7ce676c5be67d5187cae1e70aca3407062ff9fa2bc38db0af25f
                        • Opcode Fuzzy Hash: 74a8efbd481e36517c7b804c19a520793e4418e79ea70e317d1c4bc0eb0c5a55
                        • Instruction Fuzzy Hash: A3817870924169CADF74DB28CE91EEDB375AFA0208F5209F9918962990DFB067CDDF40
                        Function 6C8D62A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176sleepfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3883 6c8d62a0 3884 6c8d6341 3883->3884 3885 6c8d6218-6c8d621b 3884->3885 3886 6c8d6346-6c8d635c call 6c8d4149 * 2 3885->3886 3887 6c8d6221-6c8d6228 3885->3887 3901 6c8d7c1e-6c8d7c29 Sleep 3886->3901 3888 6c8d622a-6c8d629b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 3887->3888 3889 6c8d62a5-6c8d633b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 3887->3889 3888->3886 3889->3884 3903 6c8d7c37-6c8d7ced call 6c8d4149 * 2 call 6c8d4218 * 2 call 6c8d4149 * 2 RpcStringFreeA 3901->3903 3935 6c8d7cef-6c8d7cf5 call 6c8e6ee3 3903->3935 3936 6c8d7cfa-6c8d7d01 3903->3936 3935->3936 3938 6c8d7d0e 3936->3938 3939 6c8d7d03-6c8d7d09 call 6c8e6ee3 3936->3939 3942 6c8d5867-6c8d58bc call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 3938->3942 3943 6c8d7d13-6c8d7e68 call 6c8d4149 * 31 3938->3943 3939->3938 3957 6c8d5a41-6c8d5e00 RpcStringBindingComposeA RpcBindingFromStringBindingA call 6c8d44b1 * 2 call 6c8d15ca call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8e47a0 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d326b call 6c8d30d6 call 6c8d7fae call 6c8d320c call 6c8db564 call 6c8da89f call 6c8d2881 call 6c8da495 call 6c8d3862 call 6c8da495 call 6c8d3862 call 6c8d320c * 2 call 6c8dba9b 3942->3957 3958 6c8d58c2-6c8d58c9 3942->3958 4131 6c8d7e73-6c8d7e8c call 6c8e1e3e 3943->4131 4132 6c8d7e6e call 6c8d4149 3943->4132 4113 6c8d5e06-6c8d5e1d call 6c8d46fe 3957->4113 4114 6c8d5fc3-6c8d5fd0 call 6c8dc89e 3957->4114 3958->3957 3961 6c8d58cf-6c8d5a3c call 6c8d4149 * 32 3958->3961 3961->4131 4128 6c8d5eb0-6c8d5ebd call 6c8dba9b 4113->4128 4129 6c8d5e23-6c8d5eab call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 4113->4129 4126 6c8d7c2b-6c8d7c31 Sleep 4114->4126 4127 6c8d5fd6-6c8d5ff7 call 6c8d4714 call 6c8d14f6 4114->4127 4126->3903 4151 6c8d5ffd-6c8d60ae call 6c8d30d6 call 6c8da8f7 call 6c8e8f90 call 6c8da8f7 CreateFileA call 6c8d4714 call 6c8da8f7 WriteFile CloseHandle call 6c8d4714 call 6c8da8f7 call 6c8ed4f0 call 6c8d4149 4127->4151 4152 6c8d60b3-6c8d60d4 call 6c8d4714 call 6c8d14f6 4127->4152 4142 6c8d5fbe 4128->4142 4143 6c8d5ec3-6c8d5fb3 call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8d44b1 * 2 call 6c8d4149 4128->4143 4129->4142 4132->4131 4143->4142 4270 6c8d5fb9 call 6c8d4149 4143->4270 4151->3901 4179 6c8d60da-6c8d6211 call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 4152->4179 4180 6c8d6361-6c8d6382 call 6c8d4714 call 6c8d14f6 4152->4180 4179->3885 4202 6c8d6388-6c8d6396 call 6c8dc89e 4180->4202 4203 6c8d72c2-6c8d72e3 call 6c8d4714 call 6c8d14f6 4180->4203 4220 6c8d72bd 4202->4220 4221 6c8d639c-6c8d63de call 6c8d4714 call 6c8d30d6 call 6c8d4714 call 6c8d30d6 call 6c8d320c 4202->4221 4233 6c8d72e9-6c8d73a2 call 6c8e47a0 call 6c8d320c call 6c8d30d6 call 6c8d4a5d call 6c8d4714 call 6c8d4a2e call 6c8d4a5d call 6c8da495 call 6c8d4714 call 6c8d2e9d call 6c8d4676 4203->4233 4234 6c8d7556-6c8d7577 call 6c8d4714 call 6c8d14f6 4203->4234 4220->3901 4284 6c8d63e5-6c8d63fb call 6c8d46fe 4221->4284 4371 6c8d73a8-6c8d7442 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4233->4371 4372 6c8d7447-6c8d74f0 call 6c8da8f7 WinExec call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4233->4372 4265 6c8d757d-6c8d75c9 call 6c8e47a0 call 6c8d320c call 6c8d4714 call 6c8dc9e5 4234->4265 4266 6c8d7763-6c8d7784 call 6c8d4714 call 6c8d14f6 4234->4266 4312 6c8d75cf-6c8d7679 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4265->4312 4313 6c8d767e-6c8d7713 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4265->4313 4266->3901 4291 6c8d778a-6c8d787a call 6c8d30d6 * 2 call 6c8d4714 call 6c8d16a1 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8da8f7 WinExec Sleep call 6c8d320c call 6c8da495 call 6c8d2e9d call 6c8d47d5 4266->4291 4270->4142 4300 6c8d63fd-6c8d6414 call 6c8d46fe 4284->4300 4301 6c8d6447-6c8d668d call 6c8d30d6 call 6c8d4714 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8e47a0 call 6c8d320c call 6c8d15ca call 6c8d1584 * 6 call 6c8d15a7 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8da8f7 call 6c8e792e 4284->4301 4456 6c8d7880-6c8d7a5c call 6c8dc498 call 6c8ddada call 6c8d472f call 6c8dc498 call 6c8e1c33 call 6c8dc2be call 6c8d44b1 call 6c8daaa8 call 6c8d4a5d call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 4291->4456 4457 6c8d7bf2-6c8d7c19 call 6c8d4a73 call 6c8d4149 * 3 4291->4457 4321 6c8d6438-6c8d6445 4300->4321 4322 6c8d6416-6c8d6433 call 6c8d46fe call 6c8d4a44 4300->4322 4583 6c8d677f-6c8d6799 call 6c8d1516 4301->4583 4584 6c8d6693-6c8d677a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 4301->4584 4431 6c8d7718-6c8d775e call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 4312->4431 4313->4431 4321->4284 4322->4321 4483 6c8d74f5-6c8d7551 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4a73 call 6c8d4149 * 2 4371->4483 4372->4483 4431->3901 4618 6c8d7a63-6c8d7a66 4456->4618 4457->3901 4483->3901 4592 6c8d679f-6c8d67b3 4583->4592 4593 6c8d727b-6c8d72b8 call 6c8d4149 * 6 4583->4593 4584->4593 4596 6c8d67b5-6c8d67bb 4592->4596 4597 6c8d67c1-6c8d6834 call 6c8e47a0 call 6c8e1c33 * 2 4592->4597 4593->4220 4596->4597 4630 6c8d683b-6c8d683e 4597->4630 4622 6c8d7a6c-6c8d7a73 4618->4622 4623 6c8d7b8a-6c8d7bbb call 6c8da8f7 call 6c8e8f90 call 6c8e1c3c 4618->4623 4628 6c8d7ae9-6c8d7b85 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 4622->4628 4629 6c8d7a75-6c8d7adf call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 4622->4629 4665 6c8d7bbd-6c8d7bc4 4623->4665 4666 6c8d7bc6-6c8d7bd6 4623->4666 4628->4618 4629->4623 4631 6c8d6afd-6c8d6d2a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8ed4f0 call 6c8d320c call 6c8d4a0a call 6c8d4149 call 6c8ddbbe call 6c8d14f6 4630->4631 4632 6c8d6844-6c8d6a0b call 6c8d320c call 6c8ddba9 call 6c8d15ca call 6c8d1584 * 4 call 6c8d15a7 call 6c8d156a call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae 4630->4632 4820 6c8d6d2c-6c8d6d44 call 6c8d1540 4631->4820 4821 6c8d6d50-6c8d6d6a call 6c8d1516 4631->4821 4793 6c8d6a1a-6c8d6a30 4632->4793 4672 6c8d7bdc-6c8d7bed call 6c8d4149 * 2 4665->4672 4666->4672 4672->4457 4795 6c8d6a5b-6c8d6a79 4793->4795 4796 6c8d6a32-6c8d6a59 4793->4796 4799 6c8d6a7b-6c8d6aa0 call 6c8d4149 * 2 4795->4799 4800 6c8d6aa4-6c8d6ab5 4795->4800 4796->4793 4799->4631 4804 6c8d6ab7-6c8d6ac1 4800->4804 4805 6c8d6ac3-6c8d6acf 4800->4805 4806 6c8d6ad5-6c8d6af8 call 6c8d4149 * 2 4804->4806 4805->4806 4806->4630 4820->4821 4826 6c8d6d46 4820->4826 4827 6c8d6ec7-6c8d6ee2 call 6c8da8f7 PathFileExistsA 4821->4827 4828 6c8d6d70-6c8d6d88 call 6c8d1540 4821->4828 4826->4821 4833 6c8d6f04-6c8d6f0b 4827->4833 4834 6c8d6ee4-6c8d6ef8 call 6c8da8f7 DeleteFileA 4827->4834 4828->4827 4835 6c8d6d8e-6c8d6ec2 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 4828->4835 4838 6c8d717e-6c8d7225 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4833->4838 4839 6c8d6f11-6c8d6f8e call 6c8da8f7 CreateFileA WriteFile CloseHandle call 6c8d44b1 call 6c8da8f7 PathFileExistsA 4833->4839 4834->4833 4845 6c8d6efa 4834->4845 4925 6c8d722a-6c8d7276 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 * 2 4835->4925 4838->4925 4860 6c8d6f94-6c8d702e call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4839->4860 4861 6c8d7033-6c8d703a 4839->4861 4845->4833 4954 6c8d7179 4860->4954 4866 6c8d70df-6c8d7174 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4861->4866 4867 6c8d7040-6c8d70da call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4861->4867 4866->4954 4867->4954 4925->4593 4954->4925
                        APIs
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • _strcat.LIBCMT ref: 6C8D6279
                        • _strcat.LIBCMT ref: 6C8D62E9
                        • _strncpy.LIBCMT ref: 6C8D631B
                        • Sleep.KERNEL32(00003A98,?,?,?,?,?,?,6C9042B6,6C9042A7,0000000C,0000000C,?,?,6C934458), ref: 6C8D7C23
                        • RpcStringFreeA.RPCRT4(?), ref: 6C8D7CDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _strcat$CreateFileFreeSleepString_strncpy
                        • String ID: d
                        • API String ID: 437704486-2564639436
                        • Opcode ID: 0ddffeb2ce710e8e32f4c3328b5745409d06f914371a12b2d5371e3db3fa5005
                        • Instruction ID: 990b239921dfbda015b4a2bdd6089ebfd2e7150170c786d2a35196f60d720569
                        • Opcode Fuzzy Hash: 0ddffeb2ce710e8e32f4c3328b5745409d06f914371a12b2d5371e3db3fa5005
                        • Instruction Fuzzy Hash: 06719870864159CADF74DB68CE91EEDB375AFA0208F4209E9918A62990DFB037CDDF41
                        Function 6C8E20A8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: dllmain_raw$dllmain_crt_dispatch
                        • String ID:
                        • API String ID: 3136044242-0
                        • Opcode ID: 6f4113a9eb224bba814715fea13bb47d3d544fd429beb550260c0396608c9e7a
                        • Instruction ID: e9de1c48a1f7ea62cf7922c6c43ca56a1492c3293e7a2e5416474546ed31aed8
                        • Opcode Fuzzy Hash: 6f4113a9eb224bba814715fea13bb47d3d544fd429beb550260c0396608c9e7a
                        • Instruction Fuzzy Hash: 17212C71D0161AEBCB314F59CE48AAF3A79FB8B798F004925F91867B50C3389E058BD0
                        Function 6C8E05F9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83registryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000101,?,?,00000000), ref: 6C8E062C
                        • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000), ref: 6C8E0650
                        • RegCloseKey.KERNELBASE(00000006), ref: 6C8E0689
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: N/A
                        • API String ID: 3677997916-2525114547
                        • Opcode ID: 18d8f29ad51da1591e5f4898b785a875fe089768eead5829cca283be17493595
                        • Instruction ID: cb5949d71f6e5449538a8392335ee3c82ea18182f36ce38c71cef2eed1057aa9
                        • Opcode Fuzzy Hash: 18d8f29ad51da1591e5f4898b785a875fe089768eead5829cca283be17493595
                        • Instruction Fuzzy Hash: AB310570A0424EEFDF10DF99D940BAE7BB0BF49304F208829E815A66A0DB74DA54DF60
                        Function 6C8F711E Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6C8F7563,00000000,00000000,00000000), ref: 6C8F7422
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: InformationTimeZone
                        • String ID: Eastern Standard Time$Eastern Summer Time
                        • API String ID: 565725191-239921721
                        • Opcode ID: 644d6d4a9fd46a4723e31224186cbfc9f4810f6b2857f5b7073b0b4c3b3b26c6
                        • Instruction ID: fe7ce845a31338db922db90a63b816319a5cc5d7e36d2ba1631f3d503c815438
                        • Opcode Fuzzy Hash: 644d6d4a9fd46a4723e31224186cbfc9f4810f6b2857f5b7073b0b4c3b3b26c6
                        • Instruction Fuzzy Hash: 2AC18072A00125ABEB30AF68CE01AEE7779EF45798F644935E824D7780E7709E46C790
                        Function 6C8F73B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F26DF: HeapFree.KERNEL32(00000000,00000000,?,6C8FC163,?,00000000,?,?,6C8FC404,?,00000007,?,?,6C8FB896,?,?), ref: 6C8F26F5
                          • Part of subcall function 6C8F26DF: GetLastError.KERNEL32(?,?,6C8FC163,?,00000000,?,?,6C8FC404,?,00000007,?,?,6C8FB896,?,?), ref: 6C8F2700
                        • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6C8F7563,00000000,00000000,00000000), ref: 6C8F7422
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorFreeHeapInformationLastTimeZone
                        • String ID: Eastern Standard Time$Eastern Summer Time
                        • API String ID: 3335090040-239921721
                        • Opcode ID: 3ec4e08a8a8fcfafcbb5e9d37910b355c6a8b63227a6db8ecb68052a8f4ca216
                        • Instruction ID: ed72e744227235909ece651e0b04b78dc7b137eced7242f6cf476cd5d8b955b9
                        • Opcode Fuzzy Hash: 3ec4e08a8a8fcfafcbb5e9d37910b355c6a8b63227a6db8ecb68052a8f4ca216
                        • Instruction Fuzzy Hash: 9541D971900525ABDB30AF6DCE059CE7F78EF46798B204A75E428D7A90EB709D06CB90
                        Function 6C8D7C93 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • RpcStringFreeA.RPCRT4(?), ref: 6C8D7CDA
                        Strings
                        • Runtime reported exception , xrefs: 6C8D7CAD
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CreateFileFreeString
                        • String ID: Runtime reported exception
                        • API String ID: 201379981-1260309434
                        • Opcode ID: 021a616e3411806567aaf6cadc33d07ad7f6781a8c2646d549db630f9d53c8d7
                        • Instruction ID: 8bfeabe740e8de3a2c5e3fef4bd909eee90ff7ac8682709177c09cf7314fc884
                        • Opcode Fuzzy Hash: 021a616e3411806567aaf6cadc33d07ad7f6781a8c2646d549db630f9d53c8d7
                        • Instruction Fuzzy Hash: 20515730924169CADF74DB28CD91EEDB371AFA4218F5109E9918E62A90DFB076CDDF40
                        Function 2DE171BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • _setmbcp.MSVCR90 ref: 2DE171C3
                          • Part of subcall function 2DE15E3D: GetVersionExA.KERNEL32(?), ref: 2DE15E6A
                          • Part of subcall function 2DE11766: __EH_prolog3.LIBCMT ref: 2DE1176D
                          • Part of subcall function 2DE11766: GetClassInfoW.USER32(?,?,?), ref: 2DE1177F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassH_prolog3InfoVersion_setmbcp
                        • String ID: AfxWndA$AfxWndW
                        • API String ID: 329514372-64854810
                        • Opcode ID: 6a282e33f2a40a4e87bd68a475a5dfcb41cda586579e782e554a13593cf369ce
                        • Instruction ID: 997b85a27c01012eea14ebacc4fe09b4552363ffe2b16b2a11f63688770db368
                        • Opcode Fuzzy Hash: 6a282e33f2a40a4e87bd68a475a5dfcb41cda586579e782e554a13593cf369ce
                        • Instruction Fuzzy Hash: 132128B2A04249DFDB04DFA9C441A9EBBF4FB48750F10812AE515F7340EB35D942CB65
                        Function 6C8D392D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D3939
                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6C8D398C
                          • Part of subcall function 6C8E0EDD: _Yarn.LIBCPMT ref: 6C8E0EFC
                          • Part of subcall function 6C8E0EDD: _Yarn.LIBCPMT ref: 6C8E0F20
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                        • String ID: bad locale name
                        • API String ID: 1908188788-1405518554
                        • Opcode ID: 30c26b19ff347429d12275a6599a655557cd0315d15f93469c90574fea308540
                        • Instruction ID: 292a42c840cae3e2c85ca8facab59e5f1637839630a3cb522e38a90d515680ef
                        • Opcode Fuzzy Hash: 30c26b19ff347429d12275a6599a655557cd0315d15f93469c90574fea308540
                        • Instruction Fuzzy Hash: 15F0CD30505149EBDB18DB9CCA65BEC7371AF4520DF250968D1022AB92CF35BF54EB25
                        Function 6C8D2BC5 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2BDA
                          • Part of subcall function 6C8D4779: std::_Lockit::_Lockit.LIBCPMT ref: 6C8D4799
                          • Part of subcall function 6C8D4779: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D47BF
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D2C86
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                        • String ID:
                        • API String ID: 593203224-0
                        • Opcode ID: 0b559b72ea66ec7200e6b6523bffe058c97ec77511122459b1e829acb8cf5980
                        • Instruction ID: f6f549cf23f7a50ffaf1cbe21d4a1ca206d1bfffdd11214fa36d7c4a937e3f78
                        • Opcode Fuzzy Hash: 0b559b72ea66ec7200e6b6523bffe058c97ec77511122459b1e829acb8cf5980
                        • Instruction Fuzzy Hash: 9D21E674D0021EDFCF14DFA8DA85AEEBBB0BF09304F210929D515A7790EB31AA49DB51
                        Function 6C8E056B Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(00000004,00000000,00000000,00000101,00000004), ref: 6C8E05A0
                        • RegQueryValueExW.KERNELBASE(00000004,00000001,00000000,00000000,00000004,00000004), ref: 6C8E05C1
                        • RegCloseKey.ADVAPI32(00000004), ref: 6C8E05E4
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID:
                        • API String ID: 3677997916-0
                        • Opcode ID: 8550ecd9173f44a70354ad687c1c09e1f6efc0b83701180902316e09f9642a2e
                        • Instruction ID: e52b0e7b2ba543c2c155afb70677102ffb8a741499f1d7e15b490fa2f582bcac
                        • Opcode Fuzzy Hash: 8550ecd9173f44a70354ad687c1c09e1f6efc0b83701180902316e09f9642a2e
                        • Instruction Fuzzy Hash: 3F11237060420DEFEF11CF60C905BEE7BB4BB0A309F208829E915AA190DBB4DA94DF10
                        Function 6C8F5B29 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DeleteFileW.KERNELBASE(6C8E8FE3,?,6C8E8FE3,?,?,?,2463616368652E646174), ref: 6C8F5B31
                        • GetLastError.KERNEL32(?,6C8E8FE3,?,?,?,2463616368652E646174), ref: 6C8F5B3B
                        • __dosmaperr.LIBCMT ref: 6C8F5B42
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: DeleteErrorFileLast__dosmaperr
                        • String ID:
                        • API String ID: 1545401867-0
                        • Opcode ID: 582112237b673bd98227b13081c0256f4944977c3062010f2a47ba6ada68cae6
                        • Instruction ID: b31711ba2f4e51905ac3e6c338d0632aab457fb7ec8f4fc8db7370024f6e0b18
                        • Opcode Fuzzy Hash: 582112237b673bd98227b13081c0256f4944977c3062010f2a47ba6ada68cae6
                        • Instruction Fuzzy Hash: CDD0123230C20CBB9F503FF6EC0884A7B7E9BA23787294A29F52CC5590EF31C4959951
                        Function 2DE19C6E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4COMMON
                        Download Yara Rule
                        APIs
                        • GlobalAddAtomA.KERNEL32(AfxOldWndProc), ref: 2DE19C73
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AtomGlobal
                        • String ID: AfxOldWndProc
                        • API String ID: 2189174293-2134796454
                        • Opcode ID: d4217dee72e4177300e25165df6d35abc6edc369c666346bf9ee81b424c5cd5f
                        • Instruction ID: 8490e39fbf53fde2146f8bf48e1fdd2717d6ea3805bb5707b58b8df0217edc5d
                        • Opcode Fuzzy Hash: d4217dee72e4177300e25165df6d35abc6edc369c666346bf9ee81b424c5cd5f
                        • Instruction Fuzzy Hash: 1CA022AB0020008383008FF0C0C8BE032F0AF80A03B2200C38033F03388E280080C38F
                        Function 6C8E0479 Relevance: 3.1, APIs: 2, Instructions: 78timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetDateFormatW.KERNELBASE(00000800,00000000,?,00000000,6C8DF0CA,000003FE,?,?,?,6C8DF0CA,?,00000000,?,00000000,?,00000000), ref: 6C8E0501
                        • GetTimeFormatW.KERNEL32(00000800,00000000,?,00000000,00000000,00000000), ref: 6C8E0559
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Format$DateTime
                        • String ID:
                        • API String ID: 2545834208-0
                        • Opcode ID: f790838552091bdce9506e4161047a615fa6f0e2860cf53d55d2d95df32ece6e
                        • Instruction ID: 8ce486bdf476db4b2df769246b6438726bb0476480b6d625f5d9c18658a18c9e
                        • Opcode Fuzzy Hash: f790838552091bdce9506e4161047a615fa6f0e2860cf53d55d2d95df32ece6e
                        • Instruction Fuzzy Hash: 1A31A478E0024A9FDB00DFA8C981BAEB7B4EF18704F10445AE915EB750E734AA45CBA5
                        Function 6C8E1EF1 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                        Download Yara Rule
                        APIs
                        • __RTC_Initialize.LIBCMT ref: 6C8E1F3E
                          • Part of subcall function 6C8E26CA: InitializeSListHead.KERNEL32(6C93C7C8,6C8E1F48,6C911E78,00000010,6C8E1ED9,?,?,?,6C8E2101,?,00000001,?,?,00000001,?,6C911EC0), ref: 6C8E26CF
                        • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C8E1FA8
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                        • String ID:
                        • API String ID: 3231365870-0
                        • Opcode ID: d09f819fd2e8ce4d01ffaec8d9ccee110deeaa19cd7c92f1af2e7403999df0e3
                        • Instruction ID: 6c2309637420b3c3383d4fa2420fd8a7ae56ef17ea8051a1b33c6a9a864679e4
                        • Opcode Fuzzy Hash: d09f819fd2e8ce4d01ffaec8d9ccee110deeaa19cd7c92f1af2e7403999df0e3
                        • Instruction Fuzzy Hash: 8621C63574D2166ADB306BBCD609BDC37619F5F36CF200D29D45527F82CB65C108C6A6
                        Function 2DE116D6 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE116DD
                        • GetClassInfoA.USER32(?,?,?), ref: 2DE116EF
                          • Part of subcall function 2DE10D75: RegisterClassA.USER32(?), ref: 2DE10DA4
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Class$H_prolog3InfoRegister
                        • String ID:
                        • API String ID: 1538853570-0
                        • Opcode ID: c7c22eb8f7b14e36dca255616a0ec666563476ed3652da8b2b9a615a1859b1bc
                        • Instruction ID: 41f7c54c93f7348133383d2809edf97374919f27fa2577515922fd41d20de380
                        • Opcode Fuzzy Hash: c7c22eb8f7b14e36dca255616a0ec666563476ed3652da8b2b9a615a1859b1bc
                        • Instruction Fuzzy Hash: 5A01B171704254BACB026A608C81F9F7BADEF26745F118514F659B6190CE34DE0187B6
                        Function 2DE05027 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: lstrcmpi
                        • String ID: 0-
                        • API String ID: 1586166983-1114002220
                        • Opcode ID: a787ed22da077df86fa8b5d37a2b146f29c00f357b760bf3763710e4c0c6d434
                        • Instruction ID: 8a9d2ef84c5730c7ed6c033890644b0a333031032d0f9abf4a54e8a4bddb1987
                        • Opcode Fuzzy Hash: a787ed22da077df86fa8b5d37a2b146f29c00f357b760bf3763710e4c0c6d434
                        • Instruction Fuzzy Hash: D2E0ED31214115AFD7529E65CC40A667BE8FF45B95340C82AF859F6114EE72D910DBE0
                        Function 2DE15FCC Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        • KiUserCallbackDispatcher.NTDLL(00000002), ref: 2DE15FDE
                        • GetSystemMetrics.USER32(00000003), ref: 2DE15FE8
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CallbackDispatcherMetricsSystemUser
                        • String ID:
                        • API String ID: 365337688-0
                        • Opcode ID: 9e4da9da6fd3846626be3a876d2cad014e43beda641b95538cee8958df5b12cc
                        • Instruction ID: 9044a5b9f88155e5f7a41718bf5436ce1e8e80d6e2b5ab320940da893f2200bf
                        • Opcode Fuzzy Hash: 9e4da9da6fd3846626be3a876d2cad014e43beda641b95538cee8958df5b12cc
                        • Instruction Fuzzy Hash: 58D05E338092208ED70C9B9498087A837F4F308B10F04400BF246A6380C7BC8841CB98
                        Function 6C8F2682 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,6C8D1ED7,00000000,?,6C8F047A,00000001,00000364,00000000,00000008,000000FF,?,?,6C8E6BB3,6C8F275C), ref: 6C8F26C3
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: c4b29cacc68bd4ac52584ee5513026aa25eafd12497d27415cc636606917d61a
                        • Instruction ID: e045d2554d7916cc06c40e94e664d4a996d1170ab05e596c3d7b9b48aac31a47
                        • Opcode Fuzzy Hash: c4b29cacc68bd4ac52584ee5513026aa25eafd12497d27415cc636606917d61a
                        • Instruction Fuzzy Hash: A4F0E03124556867DB316E268F08B4F3758EF827E4B104922A834DA995CB2CDC0347A0
                        Function 6C8F2719 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6C8E1C0F,00000000,?,6C8D447E,00000000,?,6C8D179D,00000000,?,6C8DA4C6,00000000,?), ref: 6C8F274B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 497472592a46656b4dd3b86fa06673237a1eb467f7419ac2c1bf5eb72847fdc5
                        • Instruction ID: 7c3010103d445a209ef135f61c1330da23ee34cc41fada962f478cad73faaa93
                        • Opcode Fuzzy Hash: 497472592a46656b4dd3b86fa06673237a1eb467f7419ac2c1bf5eb72847fdc5
                        • Instruction Fuzzy Hash: B5E02B312052656BEB312A6E8F0978B7A5C9F537E4F110931DD34D2DC0DB18D41342E1
                        Function 2DE10D75 Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegisterClassA.USER32(?), ref: 2DE10DA4
                          • Part of subcall function 2DE03E45: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 2DE03E58
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassDebugOutputRegisterString
                        • String ID:
                        • API String ID: 3599523695-0
                        • Opcode ID: f7ecc1f92a0668298174b18dbe70631bd3bfc5fdc31549c9e8484fc3f079f4da
                        • Instruction ID: 777efd4dfe5afe9d8f14c631cd8cb51412d98a8228a122e5ade9ae0b62ae19ab
                        • Opcode Fuzzy Hash: f7ecc1f92a0668298174b18dbe70631bd3bfc5fdc31549c9e8484fc3f079f4da
                        • Instruction Fuzzy Hash: 4BF03071D05209DACB40EFA589006FDBAF5FF54700F614116E565F6190CF34CA42DB24
                        Function 2DE181E3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 3c9221a8330db71b842a43b363df4827e11af7726f289f1a230b4738da640df6
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 3c9221a8330db71b842a43b363df4827e11af7726f289f1a230b4738da640df6
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181F0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 374f67c20174960b52ec27608b5ab030bc443be68ee213b82e3feaf5970ff3fc
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 374f67c20174960b52ec27608b5ab030bc443be68ee213b82e3feaf5970ff3fc
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181FD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: fd43a3fdb2278bbe56b9ac39c2a82664b83aad6ef90ab75cbd57617ea47e249d
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: fd43a3fdb2278bbe56b9ac39c2a82664b83aad6ef90ab75cbd57617ea47e249d
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181C9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 46b048f0821808117381df587b5b8618c0fad5ea4ea476e1da7cef26fa50cee7
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 46b048f0821808117381df587b5b8618c0fad5ea4ea476e1da7cef26fa50cee7
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181D6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 5bc63d5c6e5a8a3ef60220b49febf800ab0fc058a1edb16725ab86c0f77e6273
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 5bc63d5c6e5a8a3ef60220b49febf800ab0fc058a1edb16725ab86c0f77e6273
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181BC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 063e76ee425b43f93cf38798988bf6c04c12ff4ad0aec89d06dcffa3ae7c9730
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 063e76ee425b43f93cf38798988bf6c04c12ff4ad0aec89d06dcffa3ae7c9730
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE1819E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 8a923b9224360a3a599a032f7f8a87c35929414743092b0e913b1d5e3866dd41
                        • Instruction ID: cebcb2f984bb943f2752833b3bbbad2641584a406617695772ac7b2ee9e42ff2
                        • Opcode Fuzzy Hash: 8a923b9224360a3a599a032f7f8a87c35929414743092b0e913b1d5e3866dd41
                        • Instruction Fuzzy Hash: E8A011A23A8002BC300A8208AC88CBA830CC2C0A20320C30AF020F0000AC00EC080030
                        Function 2DE18244 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 684399203c9170340643cc195a1b5a13f624fcf938c97921d1119d1a4a7f695a
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 684399203c9170340643cc195a1b5a13f624fcf938c97921d1119d1a4a7f695a
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18254 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: f482adabd21e7af47428a80a1bf8fbbba5d94189440d9136d560cb4316e510b9
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: f482adabd21e7af47428a80a1bf8fbbba5d94189440d9136d560cb4316e510b9
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18224 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 0e10e93c898f85eb97ec8577bce6e67cc111cf1ce03047cd5587b9a48a1f9c0b
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 0e10e93c898f85eb97ec8577bce6e67cc111cf1ce03047cd5587b9a48a1f9c0b
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18234 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 91ea8d7b3527954384456e8f02118ab07569016c625addee9a318f1b907ff370
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 91ea8d7b3527954384456e8f02118ab07569016c625addee9a318f1b907ff370
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE1820A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 80fe5ea136582966b2d23c62aa090d18069f494a45ee588e0e9344bac8a7ba4b
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 80fe5ea136582966b2d23c62aa090d18069f494a45ee588e0e9344bac8a7ba4b
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18217 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 5981c30ec32350a43957859c9a7d0fd5bab64f05ceb70fa934ec85ea2d86ad43
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 5981c30ec32350a43957859c9a7d0fd5bab64f05ceb70fa934ec85ea2d86ad43
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE178B5 Relevance: 1.5, APIs: 1, Instructions: 2COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectTimeVirtual$AddressCountCounterFileHandleHeapModulePerformanceProcQuerySystemThreadTick
                        • String ID:
                        • API String ID: 2966426798-0
                        • Opcode ID: b1d9e3360e75d73aef1975e7a51aa155834824d47b87844c87d294b04e291f44
                        • Instruction ID: e78b5431c3df2289def5fc0514eb564146f851374970ea3c46f2ab85c2feb5c9
                        • Opcode Fuzzy Hash: b1d9e3360e75d73aef1975e7a51aa155834824d47b87844c87d294b04e291f44
                        • Instruction Fuzzy Hash:

                        Non-executed Functions

                        Function 2DE07BC9 Relevance: 21.3, APIs: 14, Instructions: 274windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE07BD0
                        • IsIconic.USER32(00000001), ref: 2DE07C45
                        • SetForegroundWindow.USER32(00000001), ref: 2DE07C69
                        • LoadMenuW.USER32(?,00000048), ref: 2DE07CA7
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000001), ref: 2DE07CDB
                        • SetWindowLongA.USER32(00000003,000000F4,0000E900), ref: 2DE07D64
                        • GetFocus.USER32 ref: 2DE07D6A
                        • SetFocus.USER32(00000003,00000000,?,?,00000000,?,?,00CF0000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 2DE07D83
                          • Part of subcall function 2DE12F6C: GetMessageA.USER32(2DE1E9A0,00000000,00000000,00000000), ref: 2DE12F79
                          • Part of subcall function 2DE12F6C: TranslateMessage.USER32(2DE1E9A0), ref: 2DE12F99
                          • Part of subcall function 2DE12F6C: DispatchMessageA.USER32(2DE1E9A0), ref: 2DE12FA0
                        • GetSystemMetrics.USER32(00000000), ref: 2DE07DAF
                        • GetSystemMetrics.USER32(00000001), ref: 2DE07DDF
                        • GetSystemMetrics.USER32(00000001), ref: 2DE07E15
                        • SetForegroundWindow.USER32(00000003), ref: 2DE07E48
                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 2DE07E7E
                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 2DE07ECD
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Message$MetricsSystemWindow$FocusForegroundPeek$ByteCharDispatchH_prolog3_catchIconicLoadLongMenuMultiTranslateWide
                        • String ID:
                        • API String ID: 2541888167-0
                        • Opcode ID: 290a08594d3c1373832ecd646cb7b35f3fae9b5f89bf84448277df58dea2848e
                        • Instruction ID: 62f3655488501c880ed43d426ecc0c1284c9343c02d18e12cd801800864164f7
                        • Opcode Fuzzy Hash: 290a08594d3c1373832ecd646cb7b35f3fae9b5f89bf84448277df58dea2848e
                        • Instruction Fuzzy Hash: 34A19E71A01119EBCF05EFA4C885AAE7BB5EF48756F118019F90ABB245CF74DE41CBA0
                        Function 2DE183CC Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 2DE183F5
                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,msi.dll,?,00000106), ref: 2DE1844A
                        • LoadLibraryW.KERNEL32(msi.dll), ref: 2DE18457
                        • GetProcAddress.KERNEL32(00000000,MsiGetProductCodeW), ref: 2DE18473
                        • GetProcAddress.KERNEL32(00000000,MsiProvideQualifiedComponentExW), ref: 2DE18481
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc$DirectorySystem
                        • String ID: MsiGetProductCodeW$MsiProvideQualifiedComponentExW$msi.dll$mso14.dll${1E77DE88-BCAB-4C37-B9E5-073AF52DFD7A}
                        • API String ID: 2381529825-3601640118
                        • Opcode ID: a561deea7513b478ab3a10dadaa1a62ff6dfc47870307986edab1943f2b586c8
                        • Instruction ID: a91da5b507411d3708a7b20a1b27f830a33c0404a843497ae4905b4efc26384c
                        • Opcode Fuzzy Hash: a561deea7513b478ab3a10dadaa1a62ff6dfc47870307986edab1943f2b586c8
                        • Instruction Fuzzy Hash: F94163B2904118ABDB109BA4CCC8ABE77BCEB48745F5044AAE246F7140EF358E84CF25
                        Function 2DE0DC78 Relevance: 12.5, APIs: 8, Instructions: 540COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: freemalloc$H_prolog3_catch_
                        • String ID:
                        • API String ID: 2471221492-0
                        • Opcode ID: 90649fad3fe493cab59900a817efdc0f5823288cf6ab36aa88d0c896f370b14e
                        • Instruction ID: 464abe342d10f794a3dfe470a0fd4c12dafe5c88ac6945ca468c1e5a965cb4cd
                        • Opcode Fuzzy Hash: 90649fad3fe493cab59900a817efdc0f5823288cf6ab36aa88d0c896f370b14e
                        • Instruction Fuzzy Hash: 10228970900218DFDB22DFA4C884BADBBB5FF48706F2185A9EA48BB255DF319941CF50
                        Function 6C8FCF41 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetACP.KERNEL32(?,?,?,?,?,?,6C8F0D22,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6C8FD002
                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6C8F0D22,?,?,?,00000055,?,-00000050,?,?), ref: 6C8FD02D
                        • _wcschr.LIBVCRUNTIME ref: 6C8FD0C1
                        • _wcschr.LIBVCRUNTIME ref: 6C8FD0CF
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6C8FD190
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                        • String ID: utf8
                        • API String ID: 4147378913-905460609
                        • Opcode ID: f25d2644a2116f46da9e3f5c971fe230a5ac3fb505c60491beee5c9367101c9e
                        • Instruction ID: 2b38e6b40aa3979c9678efbce03e91a5ae66100e7df6e7bca8fca3736114b0ad
                        • Opcode Fuzzy Hash: f25d2644a2116f46da9e3f5c971fe230a5ac3fb505c60491beee5c9367101c9e
                        • Instruction Fuzzy Hash: E7712F71604206AAE734AF39CE41BE6B3A8EF45388F104C3AE625D7A81F774D547C760
                        Function 2DE17592 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 2DE17E3C
                        • _crt_debugger_hook.MSVCR90(00000001), ref: 2DE17E49
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 2DE17E51
                        • UnhandledExceptionFilter.KERNEL32(2DE03308), ref: 2DE17E5C
                        • _crt_debugger_hook.MSVCR90(00000001), ref: 2DE17E6D
                        • GetCurrentProcess.KERNEL32(C0000409), ref: 2DE17E78
                        • TerminateProcess.KERNEL32(00000000), ref: 2DE17E7F
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                        • String ID:
                        • API String ID: 3369434319-0
                        • Opcode ID: 57dc467342b30da1e5f46a0a0a29976b29a7f0103eb706373591e4cd37f5fbd6
                        • Instruction ID: 0ed8bb1e5ad0440355285c97adff1f601f88bbca9fa52522f07f9a61804034bf
                        • Opcode Fuzzy Hash: 57dc467342b30da1e5f46a0a0a29976b29a7f0103eb706373591e4cd37f5fbd6
                        • Instruction Fuzzy Hash: D421DFB7902744AFC321DFA4D4897583BF4BB08B11F50901AE40AA7B50EB789981CF0D
                        Function 6C8FE384 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: 28313c10c82e48ee097e2ae2bea66776f8f1dbd972ce9877d52229ef2c970272
                        • Instruction ID: a9e0f35ede59435df3840b531e9562ea12aa0792fa89b3f02b4acbdbb254ca5d
                        • Opcode Fuzzy Hash: 28313c10c82e48ee097e2ae2bea66776f8f1dbd972ce9877d52229ef2c970272
                        • Instruction Fuzzy Hash: D0D24871E092288BDB35CE28CE407DAB7B5EB59344F1449EAD45DE3640E734AE86CF81
                        Function 6C8FD6D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(?,2000000B,6C8FD9EE,00000002,00000000,?,?,?,6C8FD9EE,?,00000000), ref: 6C8FD769
                        • GetLocaleInfoW.KERNEL32(?,20001004,6C8FD9EE,00000002,00000000,?,?,?,6C8FD9EE,?,00000000), ref: 6C8FD792
                        • GetACP.KERNEL32(?,?,6C8FD9EE,?,00000000), ref: 6C8FD7A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: InfoLocale
                        • String ID: ACP$OCP
                        • API String ID: 2299586839-711371036
                        • Opcode ID: 8427f81026d0536a92782b880799bef533a4b414c83e27bfb0f1c5ded288f7bf
                        • Instruction ID: b4b84f9f22adb7cf97d06a1a91b9e5ace976bdf5778f696542764f6845f173e4
                        • Opcode Fuzzy Hash: 8427f81026d0536a92782b880799bef533a4b414c83e27bfb0f1c5ded288f7bf
                        • Instruction Fuzzy Hash: 1721A722709104D6D7349F15CB01B8772B6EB43BD8B668E2AEA29DF900F731DD42C750
                        Function 6C8FD8A5 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6C8FD9B1
                        • IsValidCodePage.KERNEL32(00000000), ref: 6C8FD9FA
                        • IsValidLocale.KERNEL32(?,00000001), ref: 6C8FDA09
                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C8FDA51
                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C8FDA70
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                        • String ID:
                        • API String ID: 415426439-0
                        • Opcode ID: 708086c4e929f383090b5a1528856f07b7b57a0338e027e95d1c5452b1a648d9
                        • Instruction ID: c6f67a2f4b8f4d88825ebd16f7911bd8815e6fb4e1cda28e5e091fb8be41164e
                        • Opcode Fuzzy Hash: 708086c4e929f383090b5a1528856f07b7b57a0338e027e95d1c5452b1a648d9
                        • Instruction Fuzzy Hash: FC516571B012059FEF20DFA9CD40BAE77F8AF45744F21482AAA34E7640D770E9468B61
                        Function 6C8F5CB2 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: 5a2df6829468a3d1ba630fb8cbc36a6c6803c4e92b5340e5fff4db1baf62b945
                        • Instruction ID: 64f91ab19adffea2910eab6a9a835cc02ef0ef7f7d0e31aa798ed129f3759cb2
                        • Opcode Fuzzy Hash: 5a2df6829468a3d1ba630fb8cbc36a6c6803c4e92b5340e5fff4db1baf62b945
                        • Instruction Fuzzy Hash: 68B16C31A053459FEB218F68C990BEEBBB5EF55384F14C5AAD424ABB41D334D907CBA0
                        Function 6C8E270B Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6C8E2717
                        • IsDebuggerPresent.KERNEL32 ref: 6C8E27E3
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C8E2803
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 6C8E280D
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: 638b0b6778bf47af338e41ad40fcffda6bb9859e1233b36c375a9042896f14e5
                        • Instruction ID: a478b33246b67ff7313430a183f11d77b5e313af9914d6309095d93a5fe49f09
                        • Opcode Fuzzy Hash: 638b0b6778bf47af338e41ad40fcffda6bb9859e1233b36c375a9042896f14e5
                        • Instruction Fuzzy Hash: 59314A75D0522D9BDF21DFA5DA897CCBBB8BF19304F1045AAE40CAB240EB749B849F44
                        Function 6C8FD354 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C8FD3A8
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C8FD3F2
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C8FD4B8
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: InfoLocale$ErrorLast
                        • String ID:
                        • API String ID: 661929714-0
                        • Opcode ID: 882d4a297947ca032bf7a50008ba8d29ccb6d75dd943e1185a32d7f7de9f6ee3
                        • Instruction ID: 38cf02e2449645ef146fd3350ff27a669e0e8645ffc62a98809ea35f1648fe0b
                        • Opcode Fuzzy Hash: 882d4a297947ca032bf7a50008ba8d29ccb6d75dd943e1185a32d7f7de9f6ee3
                        • Instruction Fuzzy Hash: 0861DB715441079FEB25CF29CE81BAA77B8FF09388F20857ADE25C6984E734E546CB50
                        Function 6C8E6733 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C8E682B
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C8E6835
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C8E6842
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: 4bfd285a7ed312a3c780cfa6f13b6caff3193da7c7991051c43b72afd6a2c87b
                        • Instruction ID: b4efb5a51c4ba6fee6a330e120ae21fb042834f41d7976593a5a87b6ee5f780b
                        • Opcode Fuzzy Hash: 4bfd285a7ed312a3c780cfa6f13b6caff3193da7c7991051c43b72afd6a2c87b
                        • Instruction Fuzzy Hash: 3C31D27490122C9BCB21DF69D9887CCBBB8BF19314F6046EAE51CA7250EB709F858F44
                        Function 2DE140C6 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$IconicShowVisible
                        • String ID:
                        • API String ID: 500985287-0
                        • Opcode ID: f7515618d5f482fb2e7f8d45be699baa96eba90e93a85ea171be8b5b3228c2ff
                        • Instruction ID: 0fadd7cbe0ab05801cdd4b24b197df19e6a37fde3af66671a11039e4f1021fed
                        • Opcode Fuzzy Hash: f7515618d5f482fb2e7f8d45be699baa96eba90e93a85ea171be8b5b3228c2ff
                        • Instruction Fuzzy Hash: 51F0B4333005015BC621072BCC08B6BBAADEFD1EB1B014139E666F23E0DE25CC11C552
                        Function 2DE0BB17 Relevance: 4.5, APIs: 3, Instructions: 35keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 2DE0BB31
                        • GetAsyncKeyState.USER32(00000010), ref: 2DE0BB54
                        • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 2DE0BB6D
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AsyncMessageParentSendState
                        • String ID:
                        • API String ID: 2531950252-0
                        • Opcode ID: 5c64213d33c752abad6be088229819c37616a04441b67572ed77f7afcae26d45
                        • Instruction ID: a5f8a39b526c03462d6aa817e3f5d8304c484d58e2a06fbf57b3a9af76b73579
                        • Opcode Fuzzy Hash: 5c64213d33c752abad6be088229819c37616a04441b67572ed77f7afcae26d45
                        • Instruction Fuzzy Hash: DEF05431985715E7DA121B508809FAB36E8FB10BCFF108025F705795B8EE79C941DE9A
                        Function 2DE12F1C Relevance: 4.5, APIs: 3, Instructions: 28keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000010), ref: 2DE12F3F
                        • GetKeyState.USER32(00000011), ref: 2DE12F48
                        • GetKeyState.USER32(00000012), ref: 2DE12F51
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: State
                        • String ID:
                        • API String ID: 1649606143-0
                        • Opcode ID: 2c93d07cdf5a394ea4bef57f06a4e82a564376b5dce813df163559a857914e96
                        • Instruction ID: 0040a4f18f48a28636f300728a559d53dd8f25d0910e6446cba368ebd671409f
                        • Opcode Fuzzy Hash: 2c93d07cdf5a394ea4bef57f06a4e82a564376b5dce813df163559a857914e96
                        • Instruction Fuzzy Hash: D2E01275646255C9EA4067706D02FE41650AB07794F05C0A5AB5CBB0D5DEA0CE439E60
                        Function 2DE11D25 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 346COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3
                        • String ID:
                        • API String ID: 431132790-3916222277
                        • Opcode ID: 104d98a35611c6089d2a584c1f24d86f2022fd74a73d3009f181e9437cd13918
                        • Instruction ID: 87ea93f56deee7a6e7b9c4fcd99d49a769331324ebcd59148695c624f05dc6b2
                        • Opcode Fuzzy Hash: 104d98a35611c6089d2a584c1f24d86f2022fd74a73d3009f181e9437cd13918
                        • Instruction Fuzzy Hash: 15B15170708108EFDB169F64CC80EAE3BA9FF48691F118119FA15BA291DF35DE11CBA5
                        Function 6C8EE7A0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f1abc4516867f9721299842ef38f97ff36ff93041716b9c1f66a367978e5b0d3
                        • Instruction ID: 40c11e69c72b5cb32a26097522c6d786403543efd1a95ef0e17919f5c0b72a0c
                        • Opcode Fuzzy Hash: f1abc4516867f9721299842ef38f97ff36ff93041716b9c1f66a367978e5b0d3
                        • Instruction Fuzzy Hash: E5F18071E016199FDB24CFA8C98069EBBF1FF89314F15866DE819AB790D730A945CF80
                        Function 6C8F203C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6C8F2037,?,?,00000008,?,?,6C901147,00000000), ref: 6C8F2269
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: 48b4bbbc5a8713ce10610504141b5472cfceedb195e262e4b2390023599a84ec
                        • Instruction ID: 780672862f9620313d79650574be1895a50f5f6ab88c994c597d896da780fc23
                        • Opcode Fuzzy Hash: 48b4bbbc5a8713ce10610504141b5472cfceedb195e262e4b2390023599a84ec
                        • Instruction Fuzzy Hash: CEB17131610649CFD714CF28C58AB557BE0FF453A8F258A5CE9A9CF6A1C339E982CB40
                        Function 6C8E28D5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C8E28EB
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FeaturePresentProcessor
                        • String ID:
                        • API String ID: 2325560087-0
                        • Opcode ID: 69525ad7e834ae4b6b5ebf05b2a56856f60c908791760cf3d6dc443885e98f50
                        • Instruction ID: a056f22d6fa1be5aad60754b9e70d715f965bb63502d25f593a3133c1679e172
                        • Opcode Fuzzy Hash: 69525ad7e834ae4b6b5ebf05b2a56856f60c908791760cf3d6dc443885e98f50
                        • Instruction Fuzzy Hash: E3519EB1A096568FEB24CF56C58A7AEB7F1FB4A318F20856AC415EB640D378E900CF50
                        Function 6C8FA2F4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 899bd80cc5cba802f7ccdfeeae27d5bbd84fce2f393e526ccdac73e3d10c78fc
                        • Instruction ID: 1bc9cab8c5e9cf0966466a17b257b71a2de5a1e6028fc190c4f93443cd9e286f
                        • Opcode Fuzzy Hash: 899bd80cc5cba802f7ccdfeeae27d5bbd84fce2f393e526ccdac73e3d10c78fc
                        • Instruction Fuzzy Hash: 6141C4B580421DAEDB20DF69CD88AEABBB8EF45358F1446EDE418D3600D7359E858F50
                        Function 6C8EC36A Relevance: 1.6, Strings: 1, Instructions: 388COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: a4ebc56e7e2a14dec3de50d83e117fea86392a8ede2f876511ffb29100201b85
                        • Instruction ID: 4fa1ebc2ea5d35af0597323f27dd498bf8f19d96ca71d453cd04ba1cfbae6a9d
                        • Opcode Fuzzy Hash: a4ebc56e7e2a14dec3de50d83e117fea86392a8ede2f876511ffb29100201b85
                        • Instruction Fuzzy Hash: 29E1AE70A006058FC734EF69C680AAEBFB1BF4F318B205E5DD4569BAA2D730E945CB51
                        Function 6C8EBFDC Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: de55ae7ef87b67a7be4c91385d4f8365fff9fdd95291b0b8e1b1b4776413e342
                        • Instruction ID: 0e24ba1356f588da12339274279763b188c5c04ae5b2fe931ef9a8fb13ec3c08
                        • Opcode Fuzzy Hash: de55ae7ef87b67a7be4c91385d4f8365fff9fdd95291b0b8e1b1b4776413e342
                        • Instruction Fuzzy Hash: 1FC19070E046498FCB35AE69C6906AABFB1BB0F308F144E1DD46697B92C731A846CB51
                        Function 6C8FD5A7 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C8FD5FB
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$InfoLocale
                        • String ID:
                        • API String ID: 3736152602-0
                        • Opcode ID: 6ad9901e3c269b261403da85bf62285b9f3bb5ec0616c830f55d1eb3efe31c0c
                        • Instruction ID: c9e777df9c7cad451e7293d7df37aa720d1079b4096907d70f03e481514dc2e0
                        • Opcode Fuzzy Hash: 6ad9901e3c269b261403da85bf62285b9f3bb5ec0616c830f55d1eb3efe31c0c
                        • Instruction Fuzzy Hash: F621D8726152069FDB288E19DE41EAE33A8EF05348B10057EEA15D7940EB38DC068790
                        Function 6C8FD22E Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • EnumSystemLocalesW.KERNEL32(6C8FD354,00000001,00000000,?,-00000050,?,6C8FD985,00000000,?,?,?,00000055,?), ref: 6C8FD2A0
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem
                        • String ID:
                        • API String ID: 2417226690-0
                        • Opcode ID: 6bbaeb8edf259c6bf2f2f73e70b93864cfa98745563235538e9364595f237361
                        • Instruction ID: 079b7effea3959fa40df78b621bb1e3e14c7fb00b450457f2a984eacd76105d0
                        • Opcode Fuzzy Hash: 6bbaeb8edf259c6bf2f2f73e70b93864cfa98745563235538e9364595f237361
                        • Instruction Fuzzy Hash: D41129372043055FDB289F39C9905AAB7A1FF8039DB18492EDA5687F40E371B903C740
                        Function 6C8FD7D6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6C8FD651,00000000,00000000,?), ref: 6C8FD802
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$InfoLocale
                        • String ID:
                        • API String ID: 3736152602-0
                        • Opcode ID: aecc067971c45b4ef08628a07fb7d8cc8cd4b176fe1f4c2211050061eaa84e41
                        • Instruction ID: 978547ac358e6da870a3de1059e0070e84bb208ab13ec3b0639f90fba44a03d1
                        • Opcode Fuzzy Hash: aecc067971c45b4ef08628a07fb7d8cc8cd4b176fe1f4c2211050061eaa84e41
                        • Instruction Fuzzy Hash: DBF0F932A21229ABDB245F658905BFA3768EF40798F604D2ADE25A3540EB70FD43C590
                        Function 6C8FD13C Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6C8FD190
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$InfoLocale
                        • String ID: utf8
                        • API String ID: 3736152602-905460609
                        • Opcode ID: 5d853baab0221ed253f5e422c976434dd079e536cbecda4b5e707eab12349a70
                        • Instruction ID: 527987a17e199bcde992c1aa621dd5fabba569bc1feba49078cd55c5d016077e
                        • Opcode Fuzzy Hash: 5d853baab0221ed253f5e422c976434dd079e536cbecda4b5e707eab12349a70
                        • Instruction Fuzzy Hash: EFF02832700109AFC7249F3CDD05AFE73A8DF49354F11057EA612EB640DB74AD068750
                        Function 6C8FD2C9 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • EnumSystemLocalesW.KERNEL32(6C8FD5A7,00000001,00000000,?,-00000050,?,6C8FD949,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6C8FD313
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem
                        • String ID:
                        • API String ID: 2417226690-0
                        • Opcode ID: 47b54eac5b143bb5bbb80ffe1701cbcc85b8aa9f7c687ac5e6236ac1498b6b70
                        • Instruction ID: d489ba7264764ae0da2f77632decf6b4b0273bf0b321f05f3c723872955cab52
                        • Opcode Fuzzy Hash: 47b54eac5b143bb5bbb80ffe1701cbcc85b8aa9f7c687ac5e6236ac1498b6b70
                        • Instruction Fuzzy Hash: 2FF04C363043045FD7245F798980A6A7BA5EF8039CF15482EFB154BA40E3B1AC03C660
                        Function 6C8F2995 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8EDD5C: EnterCriticalSection.KERNEL32(-6C93C8B0,?,6C8EF08F,00000000,6C912220,0000000C,6C8EF056,6C8D1ED7,?,6C8F26B5,6C8D1ED7,?,6C8F047A,00000001,00000364,00000000), ref: 6C8EDD6B
                        • EnumSystemLocalesW.KERNEL32(6C8F2988,00000001,6C912400,0000000C,6C8F2DB7,00000000), ref: 6C8F29CD
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CriticalEnterEnumLocalesSectionSystem
                        • String ID:
                        • API String ID: 1272433827-0
                        • Opcode ID: 7419ea1bc5fb80b4a47b3bd454379f50f96f2c3aac879a53be3f50cd48eaef8b
                        • Instruction ID: 2a215ab8dbf3df72f03a48a94dcf365bfd88e2201bc93080669a11e07abdc30c
                        • Opcode Fuzzy Hash: 7419ea1bc5fb80b4a47b3bd454379f50f96f2c3aac879a53be3f50cd48eaef8b
                        • Instruction Fuzzy Hash: 74F08732A08214DFDB20DF9CD545B9877B0FB8A369F20892AE4149B790CB794944CF80
                        Function 6C8FD1E3 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • EnumSystemLocalesW.KERNEL32(6C8FD13C,00000001,00000000,?,?,6C8FD9A7,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6C8FD21A
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem
                        • String ID:
                        • API String ID: 2417226690-0
                        • Opcode ID: 535574f0ac1a1aa9ed363f0a3c94d1c2546d9bee98c30df4bf0341cd065c941a
                        • Instruction ID: b85151df9afd504cf0a789c2c9c08ea85d74c2c591e3e0284f6a0ff697e0f7c6
                        • Opcode Fuzzy Hash: 535574f0ac1a1aa9ed363f0a3c94d1c2546d9bee98c30df4bf0341cd065c941a
                        • Instruction Fuzzy Hash: 2FF0A33630010557C7149F79D90465ABF64EFC2354F0A445DEF158BB40D331D843C7A0
                        Function 6C8F2EBB Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6C8F1888,?,20001004,00000000,00000002,?,?,6C8F0E8A), ref: 6C8F2EEF
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: InfoLocale
                        • String ID:
                        • API String ID: 2299586839-0
                        • Opcode ID: 603afe8f0381dcae135eca2bafbeda0f80139b6ec7352f3bddc596c68ee446de
                        • Instruction ID: 49abd5940de21225a20518e2590b36e4a4789f8e5bbedfb92ad530110800757a
                        • Opcode Fuzzy Hash: 603afe8f0381dcae135eca2bafbeda0f80139b6ec7352f3bddc596c68ee446de
                        • Instruction Fuzzy Hash: 6FE0DF31600568BBCF222F24DD0CA9E3F29EF44790F104425FD2022610CB368C22AA91
                        Function 2DE15E3D Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetVersionExA.KERNEL32(?), ref: 2DE15E6A
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Version
                        • String ID:
                        • API String ID: 1889659487-0
                        • Opcode ID: 8a0c90a5a7600dfc6de74170f282232b9cc0a68bf6e01015507ece98bb4611d0
                        • Instruction ID: a35e736960b650c7d7a073a1ac86cc533c4016ce540f63c3b8c129ad045e2cef
                        • Opcode Fuzzy Hash: 8a0c90a5a7600dfc6de74170f282232b9cc0a68bf6e01015507ece98bb4611d0
                        • Instruction Fuzzy Hash: DFF0AC76A14218CFD754DF74C59978DB7F4AB18B05F9084A8D00BE6381DA799A89CB04
                        Function 2DE17EC9 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_00017E87), ref: 2DE17ECE
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: d4fd6f06bdcacada01fbf8cb112c5e94c95be8386407e9c4f5fed4f85241b50a
                        • Instruction ID: cd9b212ba350204da04671530f89d19a90fd91c5f2efaa0c467f0ce58adf26d7
                        • Opcode Fuzzy Hash: d4fd6f06bdcacada01fbf8cb112c5e94c95be8386407e9c4f5fed4f85241b50a
                        • Instruction Fuzzy Hash: 7C9002A125100086470027F0484961925E06B48A137450A547002EC129DF2688A0A525
                        Function 6C8F8869 Relevance: .6, Instructions: 637COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f0617ea9bc420b4156c6981b64ed5973be4b1ff05cb883fe2bbce868f7c9b97e
                        • Instruction ID: 35e3998686dc57c088f28d6ab0c17ca4f28a5404fcf5231c1de2920287886bc4
                        • Opcode Fuzzy Hash: f0617ea9bc420b4156c6981b64ed5973be4b1ff05cb883fe2bbce868f7c9b97e
                        • Instruction Fuzzy Hash: E8322821E2DF414DDB235935C962325A259AFB73D8F25DB3FF829B5E99EB29C0834100
                        Function 6C8E2AF0 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction ID: 3cca023ebeae0ced375d76f470628846b69aa8b73b6617aaaf4630e436134544
                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction Fuzzy Hash: 71113877242083E3D214AD2DDAFC6A7F395EACF3387384B7AC0628BE54D12B91459600
                        Function 6C8F2767 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 40b09f30d7b6bf7c48fafd3229394655d06458f0b2aa6ed93c603fa64a0d1ab1
                        • Instruction ID: 89e78ee05375571f1f6339d3b3421dcaa71942467075f791229726875ca36d3e
                        • Opcode Fuzzy Hash: 40b09f30d7b6bf7c48fafd3229394655d06458f0b2aa6ed93c603fa64a0d1ab1
                        • Instruction Fuzzy Hash: 37E08632922268EBC720CB8CCA04D89F3ECFB45A84B1104A6B511D3500C274DE01C7D0
                        Function 6C8E6E04 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 17ec15a48c8b1f8719dfe3b1da8bb77a82207cfc92cb9bf1eb211070ea6ed9ee
                        • Instruction ID: 090064df8a43d60539f8d31be101eb98e4735dabdd63b1b1a5b6f800d77f71ab
                        • Opcode Fuzzy Hash: 17ec15a48c8b1f8719dfe3b1da8bb77a82207cfc92cb9bf1eb211070ea6ed9ee
                        • Instruction Fuzzy Hash: EAC08C34405A4446CE258910D3703A43776E3A77CAFA02C8CC6128BFC1C65E9886DA41
                        Function 2DE15C05 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 505f710581b9283841ecc4a2d5d31879c40518d448a6c5120241a013e7c9bc73
                        • Instruction ID: 99d04dc0369ba1252ac13c10facf11690bff2e542cc2b60f8842c8ed9d142287
                        • Opcode Fuzzy Hash: 505f710581b9283841ecc4a2d5d31879c40518d448a6c5120241a013e7c9bc73
                        • Instruction Fuzzy Hash: 6A90022214860CC6514115C5540573173ECA201AD3A4001A5D5119560255676410D5DD
                        Function 2DE0DA85 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 197stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Char$Next$mallocmemset$isspacelstrlen$ByteLeadPrevProfileString
                        • String ID: intl$sList
                        • API String ID: 1792931721-3643076868
                        • Opcode ID: bf8fbc612642cf501f2d6c9593b33af8d70f793b01dd504c461bb7771a5d14c1
                        • Instruction ID: 85f439606f4543b4cb57da21a7ab1d77fb6269e1b93010b229283cb028babac0
                        • Opcode Fuzzy Hash: bf8fbc612642cf501f2d6c9593b33af8d70f793b01dd504c461bb7771a5d14c1
                        • Instruction Fuzzy Hash: CE61F475900255AFDB118F65C8C4BBDBBF8EF0526AF10806AE985F7641DB7ACA40CF60
                        Function 2DE14681 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 188windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE12240: LoadResource.KERNEL32(2DE00000,00000000,2DE00000,?,000000F0), ref: 2DE1227A
                          • Part of subcall function 2DE12240: LockResource.KERNEL32(00000000), ref: 2DE12288
                          • Part of subcall function 2DE12240: SendDlgItemMessageA.USER32(00000001,?,?,00000000,00000000), ref: 2DE122D8
                          • Part of subcall function 2DE12240: FreeResource.KERNEL32(?), ref: 2DE122F0
                        • EndDialog.USER32(?,00000003), ref: 2DE146BC
                          • Part of subcall function 2DE06288: GetDlgItem.USER32(?,?), ref: 2DE06291
                        • ShowWindow.USER32(?,00000000,?,00000000), ref: 2DE146E7
                        • memset.MSVCR90 ref: 2DE14714
                        • memset.MSVCR90 ref: 2DE14723
                        • memset.MSVCR90 ref: 2DE1476C
                        • GetDC.USER32(00000000), ref: 2DE147BC
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 2DE147CB
                        • ReleaseDC.USER32(00000000,?), ref: 2DE147F2
                        • CreateFontIndirectW.GDI32(FFFFFFF5), ref: 2DE14828
                        • CreateFontIndirectW.GDI32(FFFFFFF5), ref: 2DE1483B
                        • CreateFontIndirectW.GDI32(FFFFFFF5), ref: 2DE1485F
                        • GetWindow.USER32(?,00000005), ref: 2DE1486A
                        • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 2DE1488A
                        • GetObjectW.GDI32(00000000,0000005C,?), ref: 2DE1489A
                        • SendMessageA.USER32(?,00000030,?,00000000), ref: 2DE148D0
                        • GetWindow.USER32(?,00000002), ref: 2DE148DA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CreateFontIndirectMessageResourceSendWindowmemset$Item$CapsDeviceDialogFreeLoadLockObjectReleaseShow
                        • String ID: @$@
                        • API String ID: 1409219205-149943524
                        • Opcode ID: dfd6ae548f6e67369d0b8e4d9439b5f187f1b678dd6663c1e9508cf80ad897a4
                        • Instruction ID: f1fc852bb682c3422807fdd19d565e8e8e16324926b382bc3b4a88d834d813cd
                        • Opcode Fuzzy Hash: dfd6ae548f6e67369d0b8e4d9439b5f187f1b678dd6663c1e9508cf80ad897a4
                        • Instruction Fuzzy Hash: E5616D71A042689EDB219B64CC44BEEBBF8BF18745F4045A9E20AF6290DB75DE80CF54
                        Function 2DE041B0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 106threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 2DE041EF
                        • GetWindowThreadProcessId.USER32(?,?), ref: 2DE041FC
                        • GetCurrentProcessId.KERNEL32 ref: 2DE04202
                        • GetLastError.KERNEL32 ref: 2DE04225
                        • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 2DE042AB
                        • SetLastError.KERNEL32(?), ref: 2DE042E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$Process$CurrentParentThreadWindow
                        • String ID: Unknown$W$n2ub$o2ub$openas$q2ub$r2ub$t2ub
                        • API String ID: 3874811631-1827479352
                        • Opcode ID: 664cb6042f8f2427c7b426443daa625d9676b55b495372ee7eb878a11a592400
                        • Instruction ID: 5624995efa62e45a80d2015e29ddcb3a68734019700b062c3cd6d2bf9985900d
                        • Opcode Fuzzy Hash: 664cb6042f8f2427c7b426443daa625d9676b55b495372ee7eb878a11a592400
                        • Instruction Fuzzy Hash: E631F6B2600605EFD701AFE1CA88A9E7AF8FF1465BB118529E616F7210CF74DE40CB64
                        Function 2DE09F94 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 365comfileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_GS.LIBCMT ref: 2DE09F9E
                        • ReadClassStg.OLE32(?,?,?,00000000,?,?,00000000,?), ref: 2DE0A089
                        • OleLoad.OLE32(?,2DE017D0,?,?), ref: 2DE0A0D6
                        • _strdup.MSVCR90(?), ref: 2DE0A1DB
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,000000FF,?,00000104,?,00000000,?,?), ref: 2DE0A250
                        • GetClassFile.OLE32(00000000), ref: 2DE0A25F
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,000000FF,?,00000104,2DE017D0,00000001,00000000,?,?,?), ref: 2DE0A2C3
                        • OleCreateLinkToFile.OLE32(00000000), ref: 2DE0A2D2
                        • OleSetContainedObject.OLE32(?,00000001), ref: 2DE0A31A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharClassFileMultiWide$ContainedCreateH_prolog3_LinkLoadObjectRead_strdup
                        • String ID: HrThreadFuncWaitOnClose$L"-$Note
                        • API String ID: 1990140484-749375652
                        • Opcode ID: ff8526354651f11c4d5cfd00d36eaeef83786d052839b11786698df0265a969d
                        • Instruction ID: 1e9b259ac48dd1adc301392e6ee38f33c7b3e2d421be94de005b4b1ebb7b3f5d
                        • Opcode Fuzzy Hash: ff8526354651f11c4d5cfd00d36eaeef83786d052839b11786698df0265a969d
                        • Instruction Fuzzy Hash: 31D14C71604128AFCB169B64CC84FAA77B9EF48701F1540A4F609FB251DB74AF81CB60
                        Function 2DE09A90 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 180stringCOMMON
                        Download Yara Rule
                        APIs
                        • _splitpath_s.MSVCR90 ref: 2DE09ADD
                          • Part of subcall function 2DE08FD6: lstrlenA.KERNEL32(?), ref: 2DE08FE3
                        • _splitpath_s.MSVCR90 ref: 2DE09B35
                        • lstrlenA.KERNEL32(?), ref: 2DE09B5F
                        • _makepath_s.MSVCR90 ref: 2DE09B8C
                        • CloseHandle.KERNEL32(00000000), ref: 2DE09BCE
                          • Part of subcall function 2DE08FD6: IsCharAlphaNumericA.USER32(?,?), ref: 2DE09017
                          • Part of subcall function 2DE04609: _vsnprintf.MSVCR90 ref: 2DE0463A
                        • CharPrevA.USER32(?,?), ref: 2DE09C00
                        • lstrlenA.KERNEL32(?), ref: 2DE09C53
                        • _makepath_s.MSVCR90 ref: 2DE09C81
                        • GetLastError.KERNEL32 ref: 2DE09CA1
                        • CloseHandle.KERNEL32(00000000), ref: 2DE09CCB
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: lstrlen$CharCloseHandle_makepath_s_splitpath_s$AlphaErrorLastNumericPrev_vsnprintf
                        • String ID: %s%x$.
                        • API String ID: 3070513225-3101762996
                        • Opcode ID: c380954a205d623cb66a27fe5a850227fcbf912c343e0c476c3aab25ebe947b6
                        • Instruction ID: de830af3b0f30261b6ab76716317b26e3682d5680cbc4ed736ce115ce1889152
                        • Opcode Fuzzy Hash: c380954a205d623cb66a27fe5a850227fcbf912c343e0c476c3aab25ebe947b6
                        • Instruction Fuzzy Hash: 286139B690011CAEDB209F60CD84FEBB7BCEB25346F0045A5E65AF2141EA359F84CF64
                        Function 2DE036BC Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 45libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(olmapi32.dll,?,2DE03757), ref: 2DE036EB
                        • GetProcAddress.KERNEL32(00000000,SetGuardValue), ref: 2DE03704
                        • GetProcAddress.KERNEL32(00000000,GetGuardValue), ref: 2DE03711
                        • GetProcAddress.KERNEL32(00000000,SetExemptValue), ref: 2DE0371E
                        • GetProcAddress.KERNEL32(00000000,GetExemptValue), ref: 2DE0372B
                        • GetProcAddress.KERNEL32(00000000,AssertGuardedAPIAllowed), ref: 2DE03738
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: AssertGuardedAPIAllowed$GetExemptValue$GetGuardValue$SetExemptValue$SetGuardValue$olmapi32.dll
                        • API String ID: 667068680-308179802
                        • Opcode ID: 2da1637b33e42520db35a5d7ec3998ebfb3160fb8f0dfab416e0f88474edc647
                        • Instruction ID: 988fb480c345da6b462c81b053b744b3773b4339da8b9e9e132506be8564a9c1
                        • Opcode Fuzzy Hash: 2da1637b33e42520db35a5d7ec3998ebfb3160fb8f0dfab416e0f88474edc647
                        • Instruction Fuzzy Hash: FAF0A4729013116AC3016F799C4CBA67FF8EF95E16308009BF06AFF21ADEB89451CB55
                        Function 2DE036DC Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(olmapi32.dll,?,2DE03757), ref: 2DE036EB
                        • GetProcAddress.KERNEL32(00000000,SetGuardValue), ref: 2DE03704
                        • GetProcAddress.KERNEL32(00000000,GetGuardValue), ref: 2DE03711
                        • GetProcAddress.KERNEL32(00000000,SetExemptValue), ref: 2DE0371E
                        • GetProcAddress.KERNEL32(00000000,GetExemptValue), ref: 2DE0372B
                        • GetProcAddress.KERNEL32(00000000,AssertGuardedAPIAllowed), ref: 2DE03738
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: AssertGuardedAPIAllowed$GetExemptValue$GetGuardValue$SetExemptValue$SetGuardValue$olmapi32.dll
                        • API String ID: 667068680-308179802
                        • Opcode ID: ffc7b254352cf169da9c06b4b7315b3856ebb7b7dee4b2775e132e7724cf2903
                        • Instruction ID: e0cd10a272b55b308a936e0bffb4ee0005b5159f6a0e10c4fde9fcb6ec60735c
                        • Opcode Fuzzy Hash: ffc7b254352cf169da9c06b4b7315b3856ebb7b7dee4b2775e132e7724cf2903
                        • Instruction Fuzzy Hash: E5F090729013256AC3046F39CC4CFA6BEF8EB90E16B04045BB02AFB315DBB89410CE54
                        Function 2DE0BCEB Relevance: 19.6, APIs: 13, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE0BD3B
                        • EnableWindow.USER32(?,00000001), ref: 2DE0BD49
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD63
                        • EnableWindow.USER32(?,00000001), ref: 2DE0BD6D
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD92
                        • ShowWindow.USER32(?,00000000), ref: 2DE0BDB0
                        • EnableWindow.USER32(?,00000000), ref: 2DE0BDBD
                        • ShowWindow.USER32(?,00000000), ref: 2DE0BDCA
                        • EnableWindow.USER32(?,00000000), ref: 2DE0BDD7
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE1E
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE3D
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE59
                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,0000000C), ref: 2DE0BE86
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Defer$Enable$Show$Rect
                        • String ID:
                        • API String ID: 3661885419-0
                        • Opcode ID: eecf1b75bd186642706e7a15d1bb290a6188f4abe5dc8f695ac0815e82b51720
                        • Instruction ID: 0ed2a44ee243fdbb2ef71b4a8379aa11c53314dec4cc464ba6735a971b866519
                        • Opcode Fuzzy Hash: eecf1b75bd186642706e7a15d1bb290a6188f4abe5dc8f695ac0815e82b51720
                        • Instruction Fuzzy Hash: 845195B6500609AFDB11DFA8CC84EEABBF9FF48345F004419F96A96260D771AD50DF60
                        Function 2DE08587 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE085A1
                        • ScreenToClient.USER32(?,?), ref: 2DE085AA
                        • GetWindowRect.USER32(?,?), ref: 2DE085CB
                        • ScreenToClient.USER32(?,?), ref: 2DE085D4
                        • GetWindowRect.USER32(?,?), ref: 2DE085EE
                        • ScreenToClient.USER32(?,?), ref: 2DE08609
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 2DE08620
                        • MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE08635
                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE08643
                        • SendMessageA.USER32(?,00000441,00000000,00000000), ref: 2DE08654
                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE08662
                        • GetWindowRect.USER32(?,?), ref: 2DE0866E
                        • ScreenToClient.USER32(?,?), ref: 2DE08677
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$ClientRectScreen$MessageSend$Move
                        • String ID:
                        • API String ID: 442886372-0
                        • Opcode ID: 13306a61e9a0b6b5bd1c820945d2b3ca7b5496e6a891c2c3e65446d3432abdfe
                        • Instruction ID: 67756aeb0e198cde58ebb18b7465ba080efbe278f67839f37bd033683e832fd5
                        • Opcode Fuzzy Hash: 13306a61e9a0b6b5bd1c820945d2b3ca7b5496e6a891c2c3e65446d3432abdfe
                        • Instruction Fuzzy Hash: 0A41D276900609AFDB12DFA8CA45BDEBBF9FF08701F104465F612F6260D772AA10DB14
                        Function 2DE08C62 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE08C69
                        • ??_U@YAPAXI@Z.MSVCR90(00001000,00000030,2DE09EEC,00000000,?,?,00000014,2DE0A4D2), ref: 2DE08CA0
                          • Part of subcall function 2DE13812: Mailbox.LIBCMT ref: 2DE159AE
                          • Part of subcall function 2DE06995: LoadCursorA.USER32(00000000,?), ref: 2DE069A0
                          • Part of subcall function 2DE06995: SetCursor.USER32(00000000), ref: 2DE069A7
                        • SetCursor.USER32(L"-,00000000), ref: 2DE08CF7
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE08D03
                        • GetLastError.KERNEL32 ref: 2DE08D3F
                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 2DE08DA9
                        • GetLastError.KERNEL32 ref: 2DE08DB5
                        • CloseHandle.KERNEL32(000000FF), ref: 2DE08DC9
                        • SetCursor.USER32(L"-), ref: 2DE08DD2
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE08DDE
                          • Part of subcall function 2DE10293: LoadStringW.USER32(?,?,?,00000200), ref: 2DE10398
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Cursor$ErrorLastLoad$CloseFileH_prolog3_catchHandleMailboxReadString
                        • String ID: L"-
                        • API String ID: 318333782-653488915
                        • Opcode ID: c72aa40b642ab750a6b29e80ed70b053074ee9c90098a300b2bd53947873a5e2
                        • Instruction ID: 4971d3a002306baf27dbb85bec56b530cf0803773d299f597d0516b688d12f68
                        • Opcode Fuzzy Hash: c72aa40b642ab750a6b29e80ed70b053074ee9c90098a300b2bd53947873a5e2
                        • Instruction Fuzzy Hash: D2513A71900209EFCB05AFA4C884AEDBBB9FF18715F108659F625BB291CB348E45CB60
                        Function 2DE0F1BA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 126registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,00000000,?,80000000), ref: 2DE0F246
                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 2DE0F26D
                        • RegCloseKey.ADVAPI32(?), ref: 2DE0F29F
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 2DE0F2DA
                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 2DE0F301
                        • GetSystemDefaultLCID.KERNEL32 ref: 2DE0F31B
                        • RegCloseKey.ADVAPI32(?), ref: 2DE0F32F
                        • GetSystemDefaultLCID.KERNEL32 ref: 2DE0F337
                        Strings
                        • Software\Policies\Microsoft\Office\14.0\Common\LanguageResources, xrefs: 2DE0F1D2
                        • UILanguage, xrefs: 2DE0F1FC
                        • Software\Microsoft\Office\14.0\Common\LanguageResources, xrefs: 2DE0F1F2
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseDefaultOpenQuerySystemValue
                        • String ID: Software\Microsoft\Office\14.0\Common\LanguageResources$Software\Policies\Microsoft\Office\14.0\Common\LanguageResources$UILanguage
                        • API String ID: 1931360540-2478438763
                        • Opcode ID: 8b7d7f2f51cf58a17fe12ffb29efd41d556ee8cc938cac258ad6e5ab258ae6ad
                        • Instruction ID: 7c40d89992d10d377e8a6cbc057cf58f26daefa917ffd8804153a0443dfdc308
                        • Opcode Fuzzy Hash: 8b7d7f2f51cf58a17fe12ffb29efd41d556ee8cc938cac258ad6e5ab258ae6ad
                        • Instruction Fuzzy Hash: 0D514C76A00228DFEB22CF60CC81FEAB7B8BB49715F0040D5E509FA281DB759A85CF51
                        Function 2DE0BFE9 Relevance: 18.2, APIs: 12, Instructions: 158windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE0C02A
                        • ScreenToClient.USER32(?,?), ref: 2DE0C033
                        • MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE0C04C
                          • Part of subcall function 2DE0BCEB: GetWindowRect.USER32(?,?), ref: 2DE0BD3B
                          • Part of subcall function 2DE0BCEB: EnableWindow.USER32(?,00000001), ref: 2DE0BD49
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD63
                          • Part of subcall function 2DE0BCEB: EnableWindow.USER32(?,00000001), ref: 2DE0BD6D
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD92
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE1E
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE3D
                        • GetWindowRect.USER32(?,?), ref: 2DE0C0AB
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 2DE0C0DD
                        • SendMessageA.USER32(?,00000441,00000000,00000000), ref: 2DE0C0ED
                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE0C16A
                        • BeginDeferWindowPos.USER32(0000000A), ref: 2DE0C16E
                        • DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,0000000C), ref: 2DE0C18E
                        • EndDeferWindowPos.USER32(?), ref: 2DE0C1B7
                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE0C1C6
                        • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 2DE0C1D4
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Defer$MessageRectSend$EnableMove$BeginClientRedrawScreen
                        • String ID:
                        • API String ID: 245351979-0
                        • Opcode ID: 392ea8f409f4386b18b170c153050fe4b01714af582ebd3f89f5033f5cffc7eb
                        • Instruction ID: 295d596dd3f76bd9212eee26ef93498588e950c10c010ea7f913e2cbf4e7fe7c
                        • Opcode Fuzzy Hash: 392ea8f409f4386b18b170c153050fe4b01714af582ebd3f89f5033f5cffc7eb
                        • Instruction Fuzzy Hash: 37513E72600B05AFDB21DFA4CD85F9ABBF5FB08705F104919E696EA690C775E910CB04
                        Function 6C9005DE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C900297: CreateFileW.KERNEL32(?,00000000,?,6C900687,?,?,00000000,?,6C900687,?,0000000C), ref: 6C9002B4
                        • GetLastError.KERNEL32 ref: 6C9006F2
                        • __dosmaperr.LIBCMT ref: 6C9006F9
                        • GetFileType.KERNEL32(00000000), ref: 6C900705
                        • GetLastError.KERNEL32 ref: 6C90070F
                        • __dosmaperr.LIBCMT ref: 6C900718
                        • CloseHandle.KERNEL32(00000000), ref: 6C900738
                        • CloseHandle.KERNEL32(6C8F85C2), ref: 6C900885
                        • GetLastError.KERNEL32 ref: 6C9008B7
                        • __dosmaperr.LIBCMT ref: 6C9008BE
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: 6a6017600685a686db84439d27ffb70378f80faca1b11dd50f5d5bf23bc2e373
                        • Instruction ID: 18e9ab0619ed906b306d51282b73ef8bb1a0db93082cb9fa3bd2522850f4810e
                        • Opcode Fuzzy Hash: 6a6017600685a686db84439d27ffb70378f80faca1b11dd50f5d5bf23bc2e373
                        • Instruction Fuzzy Hash: 2CA11332B181989FCF199F68C851BAD3BB5AB47328F28025DE815DB791CB358816CB51
                        Function 2DE0F729 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 171stringwindowCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?), ref: 2DE0F7D8
                        • GetACP.KERNEL32(00000000,?,000000FF,?,000001FC), ref: 2DE0F7F2
                        • MultiByteToWideChar.KERNEL32(00000000), ref: 2DE0F7F9
                        • GetModuleHandleW.KERNEL32(mso.dll), ref: 2DE0F8C8
                        • MessageBoxW.USER32(00000000,?,00000000), ref: 2DE0F923
                        • CallNextHookEx.USER32(?,?,?), ref: 2DE0F93C
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCallCharHandleHookMessageModuleMultiNextWidelstrlen
                        • String ID: %ld - [%08lX:%08lX]$%ld - [%08lX]$[%08lX]$mso.dll
                        • API String ID: 3435520019-1696869425
                        • Opcode ID: 68f3c54ecd80c65536ec49c389a65933bee6bc23486708add81df32937fdc499
                        • Instruction ID: 6632497b15fad154614427512545517cd3e14c49dc6dc6b80a62fbfdef9efb69
                        • Opcode Fuzzy Hash: 68f3c54ecd80c65536ec49c389a65933bee6bc23486708add81df32937fdc499
                        • Instruction Fuzzy Hash: 015112B2A00204AEE7059F74CC44FBA33B9EB84B06F108564F716F6292EE35CD55CB65
                        Function 2DE05300 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE05307
                          • Part of subcall function 2DE050C9: GetModuleHandleW.KERNEL32(KERNEL32), ref: 2DE050CF
                          • Part of subcall function 2DE050C9: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 2DE050E9
                          • Part of subcall function 2DE050C9: GetProcAddress.KERNEL32(00000000,GetSystemDEPPolicy), ref: 2DE050F3
                          • Part of subcall function 2DE050C9: SetProcessDEPPolicy.KERNEL32(00000001), ref: 2DE05106
                        • malloc.MSVCR90 ref: 2DE0533A
                        • malloc.MSVCR90 ref: 2DE0534B
                        • LoadStringW.USER32(000089E8,00000100), ref: 2DE05378
                        • LoadStringW.USER32(000089E9,00000100), ref: 2DE05394
                        • CoBuildVersion.OLE32 ref: 2DE0539E
                        • CoRegisterClassObject.OLE32(2DE01870,00000000,00000004,00000001,?,00000000), ref: 2DE0542A
                          • Part of subcall function 2DE107A6: malloc.MSVCR90 ref: 2DE107AD
                          • Part of subcall function 2DE107A6: memset.MSVCR90 ref: 2DE107C5
                        • CoRegisterClassObject.OLE32(2DE01880,00000000,00000004,00000001,?), ref: 2DE0548A
                        • LoadIconA.USER32(000088B8), ref: 2DE054D3
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Loadmalloc$AddressClassObjectProcRegisterString$BuildH_prolog3_catchHandleIconModulePolicyProcessVersionmemset
                        • String ID: P'-
                        • API String ID: 1755118194-2584166019
                        • Opcode ID: 28f7e23118dc3acc643fd7b8ac87c173cb4aaf25c63295a351871c1544e6cff4
                        • Instruction ID: e9248fa266bd0ab0321e40bbad4e779263de8f3c427335b518fade255b8144fc
                        • Opcode Fuzzy Hash: 28f7e23118dc3acc643fd7b8ac87c173cb4aaf25c63295a351871c1544e6cff4
                        • Instruction Fuzzy Hash: 1951A171604301EAEB019BB48884BBE77F9EB54702F114429E656F7281DF74CE45CB75
                        Function 2DE03FCE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        • MonitorFromWindow.USER32(?,00000002), ref: 2DE03FF3
                        • GetMonitorInfoA.USER32(00000000,00000028), ref: 2DE04002
                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 2DE04020
                        • GetWindowRect.USER32(00000000,?), ref: 2DE0403A
                        • GetWindowRect.USER32(?,?), ref: 2DE0404F
                        • OffsetRect.USER32(?,?,?), ref: 2DE04071
                        • OffsetRect.USER32(?,?,?), ref: 2DE04083
                        • OffsetRect.USER32(?,?,?), ref: 2DE04095
                        • SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000015), ref: 2DE040F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Rect$Window$Offset$InfoMonitor$FromParametersSystem
                        • String ID: (
                        • API String ID: 4041948150-3887548279
                        • Opcode ID: bcdddc2fbb7ce1fd213c2208a322fd5db06f06bde79b51b33d8f3d453df6a6b7
                        • Instruction ID: 77c544383c1879327f06983830d1c02703d5717c1e0533ad171fb3cd03f375ce
                        • Opcode Fuzzy Hash: bcdddc2fbb7ce1fd213c2208a322fd5db06f06bde79b51b33d8f3d453df6a6b7
                        • Instruction Fuzzy Hash: D6411672900129AFDF01DEA8CD49EEEB7B9FF09312F018515F905FB140DA75AA05CAA1
                        Function 2DE07F1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(0000000F), ref: 2DE07F43
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Color
                        • String ID: ToolbarWindow32
                        • API String ID: 2811717613-4104838417
                        • Opcode ID: 2ab60dcac5baf6bb9fae96b4d6f8d27d49f2f4fdf497751750df43edbe0d005e
                        • Instruction ID: c797d141d1d3883edc3d9a7a90880dc866bc37ce7b681b71bf71d112a2fc20fe
                        • Opcode Fuzzy Hash: 2ab60dcac5baf6bb9fae96b4d6f8d27d49f2f4fdf497751750df43edbe0d005e
                        • Instruction Fuzzy Hash: 1F51D4B1D4438CAEEB119FA88C81BEEBFB9FF59744F40442DE185B7282C6750805CB25
                        Function 2DE16050 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetVersion.KERNEL32 ref: 2DE16055
                        • LoadCursorA.USER32(00000000,00007F02), ref: 2DE160C7
                        • LoadCursorA.USER32(00000000,00007F00), ref: 2DE160D2
                        • GetModuleHandleA.KERNEL32(USER32.DLL), ref: 2DE160E4
                        • GetProcAddress.KERNEL32(00000000,SetScrollInfo), ref: 2DE160F8
                        • GetProcAddress.KERNEL32(00000000,GetScrollInfo), ref: 2DE16103
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressCursorLoadProc$HandleModuleVersion
                        • String ID: GetScrollInfo$SetScrollInfo$USER32.DLL
                        • API String ID: 3295075773-1004610577
                        • Opcode ID: 1eba720bb6c36f43fd72991fa9cef78ea57288b4313243eb17b2792ac18ffcbb
                        • Instruction ID: c47a7faa6d8b0227adf5dab4a68e6e4710002941c9648e46e0793025975227e8
                        • Opcode Fuzzy Hash: 1eba720bb6c36f43fd72991fa9cef78ea57288b4313243eb17b2792ac18ffcbb
                        • Instruction Fuzzy Hash: A611B4B1B147518FC7289F7A888052ABAE9FB89606341493EE58BF3B51DA34E805CF54
                        Function 2DE10444 Relevance: 15.2, APIs: 10, Instructions: 228stringCOMMON
                        Download Yara Rule
                        APIs
                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 2DE10454
                        • lstrlenW.KERNEL32(?,00000007,?), ref: 2DE105C3
                        • lstrlenW.KERNEL32(?), ref: 2DE105D1
                        • GetACP.KERNEL32(00000000,?,000000FF,?,?,00000000,00000000,-00000013,?), ref: 2DE1068B
                        • WideCharToMultiByte.KERNEL32(00000000), ref: 2DE10694
                        • GetACP.KERNEL32(00000000,?,000000FF,?,?,00000000,00000000), ref: 2DE106C0
                        • WideCharToMultiByte.KERNEL32(00000000), ref: 2DE106C3
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiWidelstrlen$Read
                        • String ID:
                        • API String ID: 3283085596-0
                        • Opcode ID: a68fe9bf361fa882e981f7bc5e13af20647d4b7a11db2f98ea1b66025d25eb58
                        • Instruction ID: c8b53590c37ef724fd5d91c9f448a7f496b27f7cba7d678864240d19d94bf70f
                        • Opcode Fuzzy Hash: a68fe9bf361fa882e981f7bc5e13af20647d4b7a11db2f98ea1b66025d25eb58
                        • Instruction Fuzzy Hash: C2910976A00109EFCB05CF98C980EA9BBF5FF48314B258499E915BB251DB36EE41DF90
                        Function 2DE18822 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67registrylibraryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00020019,?), ref: 2DE18862
                        • RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,0000020A), ref: 2DE1888C
                        • RegCloseKey.ADVAPI32(?), ref: 2DE188A2
                        • LoadLibraryW.KERNEL32(?,\Microsoft Shared\office14\mso.dll,?,00000105), ref: 2DE188E1
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 2DE18846
                        • CommonFilesDir, xrefs: 2DE18881
                        • mso.dll, xrefs: 2DE188ED
                        • \Microsoft Shared\office14\mso.dll, xrefs: 2DE188D0
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseLibraryLoadOpenQueryValue
                        • String ID: CommonFilesDir$Software\Microsoft\Windows\CurrentVersion$\Microsoft Shared\office14\mso.dll$mso.dll
                        • API String ID: 3751545530-1101215619
                        • Opcode ID: c8d833a188daccb41fc1b09bb0f4e7fe9d4bef7075bbbddee5e7968869715a63
                        • Instruction ID: 370d49b2195adcbbf26a1951422e1d59c8951ebf9aa13338ddd935fd53c0911b
                        • Opcode Fuzzy Hash: c8d833a188daccb41fc1b09bb0f4e7fe9d4bef7075bbbddee5e7968869715a63
                        • Instruction Fuzzy Hash: E1217F31A4522DABC721EA64CCCDEEEB7B8EB14742F4000A5E55AF6251DE709E84CB94
                        Function 2DE0381E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetVersion.KERNEL32 ref: 2DE03837
                        • GetFileAttributesW.KERNEL32(???.???), ref: 2DE03842
                        • GetModuleHandleA.KERNEL32(Unicows.dll), ref: 2DE0384D
                        • GetProcAddress.KERNEL32(00000000,?), ref: 2DE03875
                        • GetVersion.KERNEL32 ref: 2DE03888
                        • GetProcAddress.KERNEL32(00000000,?), ref: 2DE038A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProcVersion$AttributesFileHandleModule
                        • String ID: ???.???$Unicows.dll
                        • API String ID: 3183861727-2162356649
                        • Opcode ID: e8e219809b013d43b3d314c81efa147e24bc2402a84ff571fa5e9cc5c0b92630
                        • Instruction ID: fa81cac4052d2628061e5d0508ff01a45a3444face8aa59a4143dbbbde494ed5
                        • Opcode Fuzzy Hash: e8e219809b013d43b3d314c81efa147e24bc2402a84ff571fa5e9cc5c0b92630
                        • Instruction Fuzzy Hash: DB119132600206EFD7019FE9C848B69B7F8EF04756B1040A5F845FB251DB78E910CB24
                        Function 6C8E1920 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,6C8DCF5A,6C8DCF5C,00000000,00000000,7B4BA14C,?,?,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A,0000000C), ref: 6C8E19A9
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,6C8DCF5A,?,00000000,00000000,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A), ref: 6C8E1A24
                        • SysAllocString.OLEAUT32(00000000), ref: 6C8E1A2F
                        • _com_issue_error.COMSUPP ref: 6C8E1A58
                        • _com_issue_error.COMSUPP ref: 6C8E1A62
                        • GetLastError.KERNEL32(80070057,7B4BA14C,?,?,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A,0000000C,?,6C8DCF5A), ref: 6C8E1A67
                        • _com_issue_error.COMSUPP ref: 6C8E1A7A
                        • GetLastError.KERNEL32(00000000,?,?,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A,0000000C,?,6C8DCF5A), ref: 6C8E1A90
                        • _com_issue_error.COMSUPP ref: 6C8E1AA3
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                        • String ID:
                        • API String ID: 1353541977-0
                        • Opcode ID: bc889f977c46543d857ae41a73b0726673fe47b70cb55173c2ea68ba6725fb13
                        • Instruction ID: 756918b99bd01fdcd0480f26254200bdf5cdb07947fb73846d2168516d27266a
                        • Opcode Fuzzy Hash: bc889f977c46543d857ae41a73b0726673fe47b70cb55173c2ea68ba6725fb13
                        • Instruction Fuzzy Hash: 7E412872B042199BCB20DF68CA40BEEBBB8AB4E754F20463DE515E7B41D734D544CBA0
                        Function 6C8E5646 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 6C8E5765
                        • ___TypeMatch.LIBVCRUNTIME ref: 6C8E5873
                        • _UnwindNestedFrames.LIBCMT ref: 6C8E59C5
                        • CallUnexpected.LIBVCRUNTIME ref: 6C8E59E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: 2bfab5c363702beb46ae8b9f1aa2629cd3561b294ad2a863858529e096e841d1
                        • Instruction ID: 503aa5d7e4449b3d82d9ab5354676608193e9b0df341705cb21837b33d0edfa1
                        • Opcode Fuzzy Hash: 2bfab5c363702beb46ae8b9f1aa2629cd3561b294ad2a863858529e096e841d1
                        • Instruction Fuzzy Hash: 62B1AE31800319EFCF24DFA5DA809DEB7B5FF0E318B14496AE8146BA11C731EA65CB91
                        Function 2DE0C374 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 226windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE0C37B
                        • DrawFocusRect.USER32(?,?), ref: 2DE0C3D9
                        • PatBlt.GDI32(?,?,?,?,?,00FF0062), ref: 2DE0C421
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: DrawFocusH_prolog3_catchRect
                        • String ID: ...
                        • API String ID: 1217028765-440645147
                        • Opcode ID: bcabece07dfa2d26e0098002f728779582adff982a86f0164d042d6ce9e659aa
                        • Instruction ID: 923dcaa54c14ee2e312f531f88915f41705df3fbee8760594fb78c26d6aa5b86
                        • Opcode Fuzzy Hash: bcabece07dfa2d26e0098002f728779582adff982a86f0164d042d6ce9e659aa
                        • Instruction Fuzzy Hash: 48914670904249DFDB15CFA4C994AAEBBB5FF28305F21415CEA46B7291DF30AE09CB60
                        Function 2DE185D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77registryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCR90 ref: 2DE18605
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00020019,000000FF), ref: 2DE18659
                        • RegQueryValueExW.ADVAPI32(000000FF,CommonFilesDir,00000000,00000000,?,0000020A), ref: 2DE1867E
                          • Part of subcall function 2DE18540: LoadLibraryW.KERNEL32(?), ref: 2DE185BC
                        • RegCloseKey.ADVAPI32(000000FF), ref: 2DE186CA
                        Strings
                        • Microsoft Shared\office14\, xrefs: 2DE1861A
                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 2DE1864F
                        • CommonFilesDir, xrefs: 2DE18673
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseLibraryLoadOpenQueryValuememset
                        • String ID: CommonFilesDir$Microsoft Shared\office14\$Software\Microsoft\Windows\CurrentVersion
                        • API String ID: 79794857-3032397660
                        • Opcode ID: 36f6e2e8efc4a1afc073490d849ddbc5e79cd0c02741d218dd8b772c7fc5326f
                        • Instruction ID: 3179c54ee98db966a47d3ae70f41689afa1a0afbf442958fca9fbd6fd9890271
                        • Opcode Fuzzy Hash: 36f6e2e8efc4a1afc073490d849ddbc5e79cd0c02741d218dd8b772c7fc5326f
                        • Instruction Fuzzy Hash: 9C217C71A0422CAFDB22DB64CC80EEAB7BCEB08754F4001A5A559F6191DA30DF85CFA4
                        Function 2DE0FB74 Relevance: 12.2, APIs: 8, Instructions: 194stringthreadCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(00000000,?,80000000), ref: 2DE0FBFE
                        • lstrlenA.KERNEL32(00000000,?,80000000), ref: 2DE0FC06
                        • LoadStringW.USER32(?,?,?,00000200), ref: 2DE0FC79
                        • GetACP.KERNEL32(00000000,00000201,000000FF,?,00000201,00000201,?,?,80000000), ref: 2DE0FCEA
                        • MultiByteToWideChar.KERNEL32(00000000), ref: 2DE0FCF1
                        • GetCurrentThreadId.KERNEL32 ref: 2DE0FCF7
                        • SetWindowsHookExW.USER32(000000FF,2DE0F729,00000000,00000000), ref: 2DE0FD06
                        • UnhookWindowsHookEx.USER32(00000000), ref: 2DE0FD70
                          • Part of subcall function 2DE0F61C: GetModuleHandleW.KERNEL32(mso.dll,?,2DE0FBDC,?,00000201,?,?,80000000), ref: 2DE0F624
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: HookWindowslstrlen$ByteCharCurrentHandleLoadModuleMultiStringThreadUnhookWide
                        • String ID:
                        • API String ID: 4184960637-0
                        • Opcode ID: 065262e888bcc708b1f284206782184192a233539428be98c1ed4cef9a25e176
                        • Instruction ID: 9e26e9592c1b3ef935f090cda8942afb7a38772dde86cd67278933ade216867e
                        • Opcode Fuzzy Hash: 065262e888bcc708b1f284206782184192a233539428be98c1ed4cef9a25e176
                        • Instruction Fuzzy Hash: 9A616F72A00205EFCB01DFA4C985A6EBBB4FF08756F10452AFA16F7290CB34D964CB95
                        Function 2DE172DD Relevance: 12.1, APIs: 8, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        • ??_V@YAXPAX@Z.MSVCR90(?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?,?), ref: 2DE172FC
                        • ??_U@YAPAXI@Z.MSVCR90(?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?,?), ref: 2DE1731A
                        • memset.MSVCR90 ref: 2DE17326
                        • memset.MSVCR90 ref: 2DE1734F
                        • ??_U@YAPAXI@Z.MSVCR90(?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?,?), ref: 2DE1739F
                        • memcpy.MSVCR90(00000000,?,?,?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?), ref: 2DE173B1
                        • memset.MSVCR90 ref: 2DE173C7
                        • ??_V@YAXPAX@Z.MSVCR90(?,?,00000000,?,00000000,?,?,?,?,?,?,?,2DE15264,?,000000FF), ref: 2DE173CF
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: memset$memcpy
                        • String ID:
                        • API String ID: 368790112-0
                        • Opcode ID: cab2f0a68c08a215e292c57bf758677830bf06002173c9b7a8a0609d3745db6e
                        • Instruction ID: 01e67216fbd168e9696475533a605f4c877463738e65f529f3b1af394df0e4cf
                        • Opcode Fuzzy Hash: cab2f0a68c08a215e292c57bf758677830bf06002173c9b7a8a0609d3745db6e
                        • Instruction Fuzzy Hash: 0131C5B1704700DBD721AF69CCC2E1EB7D5EB44A54B21C92DEA6AFB640DA30EC44CB40
                        Function 2DE13210 Relevance: 12.1, APIs: 8, Instructions: 71COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE13217
                        • CloseHandle.KERNEL32(?,00000004,2DE04F48,00000004,2DE04F78), ref: 2DE13234
                        • Mailbox.LIBCMT ref: 2DE13266
                        • Mailbox.LIBCMT ref: 2DE13277
                        • Mailbox.LIBCMT ref: 2DE13288
                        • Mailbox.LIBCMT ref: 2DE13299
                        • Mailbox.LIBCMT ref: 2DE132AA
                        • ??3@YAXPAX@Z.MSVCR90(00000000,00000004,2DE04F48,00000004,2DE04F78), ref: 2DE132DE
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Mailbox$??3@CloseH_prolog3Handle
                        • String ID:
                        • API String ID: 1655960846-0
                        • Opcode ID: f279f09d6a0b4f1a54489b2b22a88a0736dae57d32d307f9707cba6c43cbac02
                        • Instruction ID: f50f39fb23b1299c94324f8a5f5e8def76818ed0c64aaa32ecb0b1b37edad16d
                        • Opcode Fuzzy Hash: f279f09d6a0b4f1a54489b2b22a88a0736dae57d32d307f9707cba6c43cbac02
                        • Instruction Fuzzy Hash: A92136747047029BCB24AFA18491A6DBBE2FF64304F52092DC3DA77681CE71ED88CB91
                        Function 2DE0F952 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: isdigit
                        • String ID: z
                        • API String ID: 2326231117-1657960367
                        • Opcode ID: ac17b01145ba7ca2fbfc3fa967c8219a4834eb07b47c83a8880dca6859013e69
                        • Instruction ID: ecc6e3a7f133e5940974b534aaebc0fa7f412d777ee8df15538e836b9cb1db30
                        • Opcode Fuzzy Hash: ac17b01145ba7ca2fbfc3fa967c8219a4834eb07b47c83a8880dca6859013e69
                        • Instruction Fuzzy Hash: B471A271D0061AEFCF01DFA4C840AAEB7B4FF8431AF608556E952BB280DB349A61CF51
                        Function 2DE0657A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch_GS.LIBCMT ref: 2DE06584
                          • Part of subcall function 2DE1127F: __EH_prolog3_catch.LIBCMT ref: 2DE11286
                          • Part of subcall function 2DE0646A: GetWindowRect.USER32(?,?), ref: 2DE0647F
                          • Part of subcall function 2DE0646A: ScreenToClient.USER32(?,?), ref: 2DE0648C
                          • Part of subcall function 2DE0646A: MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE064A2
                          • Part of subcall function 2DE0646A: SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE064D5
                          • Part of subcall function 2DE0646A: MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 2DE064EA
                          • Part of subcall function 2DE0646A: SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE064F8
                          • Part of subcall function 2DE0646A: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 2DE06508
                        • GetDlgItem.USER32(00000001,000088C2), ref: 2DE065CD
                          • Part of subcall function 2DE04745: _wcsicmp.MSVCR90 ref: 2DE04757
                        • EnableWindow.USER32(?,00000000), ref: 2DE06778
                        • SetWindowTextW.USER32(?,?), ref: 2DE0679E
                        • SetFocus.USER32(?), ref: 2DE067BA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$MessageMoveSend$ClientEnableFocusH_prolog3_catchH_prolog3_catch_ItemRectRedrawScreenText_wcsicmp
                        • String ID: IPM.Conflict.Message
                        • API String ID: 3324545711-3689180561
                        • Opcode ID: 89563ce0b3311e031b671a500e1268eac639902acf466ff22f93cf609b6259ac
                        • Instruction ID: b3752bfa17b56596601b3db8dcab7f0adfb8ff7e85b8668bb76bba10a4b40695
                        • Opcode Fuzzy Hash: 89563ce0b3311e031b671a500e1268eac639902acf466ff22f93cf609b6259ac
                        • Instruction Fuzzy Hash: F7518370E4825A9BDB11DB54CD81BAD73A4EF20302F4541A8AA49BF285DE34AF45CF91
                        Function 2DE071EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE071F3
                        • memset.MSVCR90 ref: 2DE07206
                          • Part of subcall function 2DE052D6: GetProcAddress.KERNEL32(00000000,00000142), ref: 2DE052F4
                        • GetWindowRect.USER32(?,?), ref: 2DE072E8
                        • PostMessageA.USER32(00000001,00000111,0000891C,00000000), ref: 2DE07357
                        • SetCursor.USER32(?), ref: 2DE07360
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressCursorH_prolog3MessagePostProcRectWindowmemset
                        • String ID: D
                        • API String ID: 308528978-2746444292
                        • Opcode ID: 96d0d382f976984e268bdff0539b49b3f1270286629b71aa9eb46c8836169717
                        • Instruction ID: 634d7ecd115178018482c171c355e894373862168e1187e81785f10fcec3337e
                        • Opcode Fuzzy Hash: 96d0d382f976984e268bdff0539b49b3f1270286629b71aa9eb46c8836169717
                        • Instruction Fuzzy Hash: FD415070A04605DFDB11EFA0C889FAEBBB9FF44706F20451CE65ABB291DB35A905CB11
                        Function 6C8E4DE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 6C8E4E17
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6C8E4E1F
                        • _ValidateLocalCookies.LIBCMT ref: 6C8E4EA8
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6C8E4ED3
                        • _ValidateLocalCookies.LIBCMT ref: 6C8E4F28
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: bd981ace971ecf3a411b894a973b3c030490cefc78a1d0fd5bd573ba25962dd3
                        • Instruction ID: f2eb5d60866becd2814c63a9c687c4881cec84c9212b291cea1272048b927853
                        • Opcode Fuzzy Hash: bd981ace971ecf3a411b894a973b3c030490cefc78a1d0fd5bd573ba25962dd3
                        • Instruction Fuzzy Hash: EF417534A002099FCF20CFADC944ADE7BB5AFCA328F14C969D9189BB51D731D915CB91
                        Function 2DE13EC3 Relevance: 10.6, APIs: 7, Instructions: 112windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15D40: GetFocus.USER32 ref: 2DE15D44
                          • Part of subcall function 2DE15D40: GetParent.USER32(00000000), ref: 2DE15D6C
                          • Part of subcall function 2DE15D40: GetWindowLongA.USER32(?,000000F0), ref: 2DE15D87
                          • Part of subcall function 2DE15D40: GetParent.USER32(?), ref: 2DE15D95
                          • Part of subcall function 2DE15D40: GetDesktopWindow.USER32 ref: 2DE15D99
                          • Part of subcall function 2DE15D40: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 2DE15DAD
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • GetMenu.USER32(?), ref: 2DE13F12
                        • GetMenu.USER32(?), ref: 2DE13F27
                        • GetMenuItemCount.USER32(00000000), ref: 2DE13F30
                        • GetSubMenu.USER32(00000000,00000000), ref: 2DE13F41
                        • GetMenuItemCount.USER32(?), ref: 2DE13F65
                        • GetMenuItemID.USER32(?,?), ref: 2DE13F7F
                        • GetMenuItemID.USER32(?,00000000), ref: 2DE13FA2
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Menu$Item$CountParentWindow$DesktopErrorFocusH_prolog3LastLongMessageSend
                        • String ID:
                        • API String ID: 666752450-0
                        • Opcode ID: 9be9fc55af222156d3f25f59f4677193daa099dbe6c32b64145a41323d57a954
                        • Instruction ID: d26a778a9b28378a9b9412e49421c64afadef5f417993a0c201165685ec7c745
                        • Opcode Fuzzy Hash: 9be9fc55af222156d3f25f59f4677193daa099dbe6c32b64145a41323d57a954
                        • Instruction Fuzzy Hash: 17417971A04208ABCF019F68CC809EEBBB6FF48314F20856AE951F6251DB31DD41DF60
                        Function 2DE15A21 Relevance: 10.6, APIs: 7, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • _msize.MSVCR90 ref: 2DE15A7F
                        • _msize.MSVCR90 ref: 2DE15A99
                        • free.MSVCR90 ref: 2DE15AA1
                        • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCR90 ref: 2DE15AB1
                        • malloc.MSVCR90 ref: 2DE15ABF
                        • malloc.MSVCR90 ref: 2DE15AD2
                        • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCR90 ref: 2DE15ADB
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ?_set_new_handler@@_msizemalloc$ErrorH_prolog3Lastfree
                        • String ID:
                        • API String ID: 3808399026-0
                        • Opcode ID: a9b4a528f875a6e218f063e785ad0623a17c94ad4a478d07bee21cb377004e87
                        • Instruction ID: fcf538b6cc03881a03c65b434e03e0854ad692f342596e42acc1d1a290db2e0b
                        • Opcode Fuzzy Hash: a9b4a528f875a6e218f063e785ad0623a17c94ad4a478d07bee21cb377004e87
                        • Instruction Fuzzy Hash: 84215E71B48B059FEB10ABB5D880B6AB7F8FF00655B21852AD645F3680EF35ED04CB64
                        Function 2DE15F07 Relevance: 10.6, APIs: 7, Instructions: 75stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 2DE15F24
                        • IsWindowUnicode.USER32(?), ref: 2DE15F2D
                        • SetWindowTextW.USER32(?,?), ref: 2DE15F66
                          • Part of subcall function 2DE15CD7: IsWindowUnicode.USER32(?), ref: 2DE15CE0
                          • Part of subcall function 2DE15CD7: GetWindowTextW.USER32(?,00000100,?), ref: 2DE15CF3
                        • lstrcmpW.KERNEL32(?,?,?,?,00000100,?,00000000), ref: 2DE15F5A
                        • lstrcmpA.KERNEL32(?,00000000,?,?,00000100,?,00000001,?,00000000), ref: 2DE15FA1
                        • SetWindowTextA.USER32(?,00000000), ref: 2DE15FAD
                        • free.MSVCR90 ref: 2DE15FB4
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Text$Unicodelstrcmp$freelstrlen
                        • String ID:
                        • API String ID: 1265395221-0
                        • Opcode ID: 786049158eaa192aea86022bd4c83b0f3c1c87c26f6fc3538a559443fe02bcca
                        • Instruction ID: 87922f438859e4ced7c0ebfa7fd4c1cdc410c9255412a9d22884fd765a7b883f
                        • Opcode Fuzzy Hash: 786049158eaa192aea86022bd4c83b0f3c1c87c26f6fc3538a559443fe02bcca
                        • Instruction Fuzzy Hash: 121130B2705108ABDB119AA4CCC4EBFB3BCEB08B45B00456AF642F6241DF38DE44C665
                        Function 6C8F2B5E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,7B4BA14C,?,6C8F2C6B,?,?,00000000,00000000), ref: 6C8F2C1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3664257935-537541572
                        • Opcode ID: cf3a35656ce2901ec22b742315da6f61fb974a65747785bd2cb9092fb531ba5e
                        • Instruction ID: 688a73315bd12e11e1441e28152e3578675e73c6214d5e0e476294163fc66f2d
                        • Opcode Fuzzy Hash: cf3a35656ce2901ec22b742315da6f61fb974a65747785bd2cb9092fb531ba5e
                        • Instruction Fuzzy Hash: 54213B3170A661F7CB319F69DD58A4B37789B537B4F210A14ED25EB680D734EA02CA90
                        Function 2DE0646A Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE0647F
                        • ScreenToClient.USER32(?,?), ref: 2DE0648C
                        • MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE064A2
                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE064D5
                        • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 2DE064EA
                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE064F8
                        • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 2DE06508
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$MessageMoveSend$ClientRectRedrawScreen
                        • String ID:
                        • API String ID: 4152145988-0
                        • Opcode ID: 04a9ca4bb46a16451840b574f6294cfb57172a5967cbfa26b447275fba0050d6
                        • Instruction ID: b5ac50140a410b60ad33f8386210b9b37e20caadc3da37fb2d49580a715190a1
                        • Opcode Fuzzy Hash: 04a9ca4bb46a16451840b574f6294cfb57172a5967cbfa26b447275fba0050d6
                        • Instruction Fuzzy Hash: 18114232200654BFDB215FA5CC49F5B7FB9FB48B41F048418F646BA1A0CBB6E510DB54
                        Function 2DE141D3 Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceW.KERNEL32(2DE00000,?,00000005,00000000,?,00000000,?,?,?,2DE14967,?,?,00000000,?,?), ref: 2DE141EC
                        • LoadResource.KERNEL32(2DE00000,00000000,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?), ref: 2DE141FA
                        • LockResource.KERNEL32(00000000,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?,?), ref: 2DE14208
                        • SizeofResource.KERNEL32(2DE00000,00000000,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?), ref: 2DE14217
                        • malloc.MSVCR90 ref: 2DE1422D
                        • memcpy.MSVCR90(00000000,?,00000000,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?), ref: 2DE14240
                        • FreeResource.KERNEL32(?,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?,?), ref: 2DE1424B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Resource$FindFreeLoadLockSizeofmallocmemcpy
                        • String ID:
                        • API String ID: 2295636306-0
                        • Opcode ID: 48227763c1cff33241410102a9e0115e82b0c1e9edc6b40d3a9e5449d4db98a2
                        • Instruction ID: f8a201167685b9d33afba2d9e38b5c3827bf90187039fb53aa4c1ea71aba8f6d
                        • Opcode Fuzzy Hash: 48227763c1cff33241410102a9e0115e82b0c1e9edc6b40d3a9e5449d4db98a2
                        • Instruction Fuzzy Hash: 8211FE7660060AABDB015FE5C848BAA7BF8EF49696B104065F905F6300EE75DD40CB74
                        Function 2DE0B7D5 Relevance: 10.5, APIs: 7, Instructions: 41COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE0B7DC
                        • ~_Task_impl.LIBCPMT ref: 2DE0B7F9
                          • Part of subcall function 2DE15440: __EH_prolog3.LIBCMT ref: 2DE15447
                        • ~_Task_impl.LIBCPMT ref: 2DE0B808
                          • Part of subcall function 2DE154BD: __EH_prolog3.LIBCMT ref: 2DE154C4
                        • ~_Task_impl.LIBCPMT ref: 2DE0B817
                        • ~_Task_impl.LIBCPMT ref: 2DE0B826
                        • ~_Task_impl.LIBCPMT ref: 2DE0B835
                          • Part of subcall function 2DE153F3: __EH_prolog3.LIBCMT ref: 2DE153FA
                        • ~_Task_impl.LIBCPMT ref: 2DE0B844
                          • Part of subcall function 2DE04873: ??_V@YAXPAX@Z.MSVCR90(?,?,2DE04B1B), ref: 2DE04883
                          • Part of subcall function 2DE08409: __EH_prolog3.LIBCMT ref: 2DE08410
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Task_impl$H_prolog3
                        • String ID:
                        • API String ID: 1204490572-0
                        • Opcode ID: 42fdf4db1f5d96ef5b0637e4c9123a91e82bf00f202e36c817deb2d8951b791f
                        • Instruction ID: f871b9a218d52c0f83e817faefbdcacda5ea4abe6513e976151fc633c50e5947
                        • Opcode Fuzzy Hash: 42fdf4db1f5d96ef5b0637e4c9123a91e82bf00f202e36c817deb2d8951b791f
                        • Instruction Fuzzy Hash: 58111930509684DAD715EBA4C1557DDBBE0AF35301F95488DCA9A33281DFB86B08D763
                        Function 2DE0D55E Relevance: 10.1, APIs: 8, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: malloc$freememcpy
                        • String ID:
                        • API String ID: 4259248891-0
                        • Opcode ID: 5661ad0a6e5cfc74636c64c71a1a3c6b9fffe8cc6fc472692e95c15f62cccbaa
                        • Instruction ID: d6d4f02f5280555b0b18b1130327dd0fbfa5368a3c4b8e22ba8db3a39bbf7455
                        • Opcode Fuzzy Hash: 5661ad0a6e5cfc74636c64c71a1a3c6b9fffe8cc6fc472692e95c15f62cccbaa
                        • Instruction Fuzzy Hash: B7418DB1600705AFEB14CF69D88096AB7E9FF44259750C82EE95EFB740EA31EA00CB50
                        Function 6C8F5384 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 38b87c806989fc2c0dd5aa48609b3bc6bc4970df835a6c9630bb3cb24f207596
                        • Instruction ID: cfb473e2bf0c79e87d71682837bb5626e3e1938dfe8f8503324b24d0da3eaa67
                        • Opcode Fuzzy Hash: 38b87c806989fc2c0dd5aa48609b3bc6bc4970df835a6c9630bb3cb24f207596
                        • Instruction Fuzzy Hash: 53B10770A043499FDB21DF9CC580BAEBBB1BF8A358F208958D5349BB81C7749947CB60
                        Function 6C8E1712 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6C8E175B
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6C8E17C6
                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8E17E3
                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6C8E1822
                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8E1881
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C8E18A4
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiStringWide
                        • String ID:
                        • API String ID: 2829165498-0
                        • Opcode ID: e4031d0e6505bb6944d581e75d5fda48b57a81501535d779767bf10b195240c8
                        • Instruction ID: 47792181d4a082caf1558a40e5a6ec72a26d385c3dec9ba4e50fc43c725e3d79
                        • Opcode Fuzzy Hash: e4031d0e6505bb6944d581e75d5fda48b57a81501535d779767bf10b195240c8
                        • Instruction Fuzzy Hash: CA51917260122AAFEF204F95CD44FEF3BBAEF4A744F214929F924A6551E734D814CB90
                        Function 2DE11AAA Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE11AB1
                        • GetPropA.USER32(?,00000000), ref: 2DE11AC1
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 2DE11B58
                          • Part of subcall function 2DE11492: GetWindowLongA.USER32(?,000000F0), ref: 2DE114A6
                          • Part of subcall function 2DE11492: GetWindowRect.USER32(?,?), ref: 2DE114BA
                          • Part of subcall function 2DE11492: IsWindowEnabled.USER32(?), ref: 2DE114DF
                        • SetWindowLongA.USER32(?,000000FC,?), ref: 2DE11B77
                        • RemovePropA.USER32(?,00000000), ref: 2DE11B86
                          • Part of subcall function 2DE10D23: GetWindowRect.USER32(?,?), ref: 2DE10D2C
                          • Part of subcall function 2DE10D23: GetWindowLongA.USER32(?,000000F0), ref: 2DE10D37
                        • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 2DE11BE3
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Long$CallProcPropRect$EnabledErrorH_prolog3H_prolog3_catchLastRemove
                        • String ID:
                        • API String ID: 1391589453-0
                        • Opcode ID: ffad048c8b34a72d7a6c69f4442e6b2fde040e45d61777dcfabd33ee11cab945
                        • Instruction ID: 96506f3b843138997fd9f60d06af548f1c76365dbfa81683476a650b1af7e867
                        • Opcode Fuzzy Hash: ffad048c8b34a72d7a6c69f4442e6b2fde040e45d61777dcfabd33ee11cab945
                        • Instruction Fuzzy Hash: 94416972A04209EBCF058FA4C944AEE7BB4FF08715F014519FA15BB290DB39DE44DBA1
                        Function 2DE084B0 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_GS.LIBCMT ref: 2DE084B7
                          • Part of subcall function 2DE08374: SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 2DE0837D
                        • GetObjectA.GDI32(?,0000003C,?), ref: 2DE084DA
                        • GetDC.USER32(00000000), ref: 2DE084E2
                          • Part of subcall function 2DE08338: CreateFontIndirectA.GDI32(?), ref: 2DE08341
                          • Part of subcall function 2DE14F4C: SelectObject.GDI32(?,00000000), ref: 2DE14F70
                          • Part of subcall function 2DE14F4C: SelectObject.GDI32(?,00000000), ref: 2DE14F86
                        • GetTextMetricsA.GDI32(?,?), ref: 2DE08528
                        • GetTextMetricsA.GDI32(?), ref: 2DE08555
                        • ReleaseDC.USER32(00000000,?), ref: 2DE0856F
                          • Part of subcall function 2DE14ED4: __EH_prolog3.LIBCMT ref: 2DE14EDB
                          • Part of subcall function 2DE14ED4: DeleteDC.GDI32(00000000), ref: 2DE14EFB
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Object$MetricsSelectText$CreateDeleteFontH_prolog3H_prolog3_IndirectMessageReleaseSend
                        • String ID:
                        • API String ID: 275216013-0
                        • Opcode ID: 6f85af226e3e9eb24055429f268d7bf1b4e6bf0b06176b899814b474779f6fb9
                        • Instruction ID: b30ef81324e946df8c211b8d22f9bc6ecd6266c7dc84ea51ba510d75a7b9a020
                        • Opcode Fuzzy Hash: 6f85af226e3e9eb24055429f268d7bf1b4e6bf0b06176b899814b474779f6fb9
                        • Instruction Fuzzy Hash: F621EA71D042089BDB15EBE0C855BDDB7B9FF64701F528128E126BB2A4DF345E09CB50
                        Function 6C8E52D8 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000001,?,6C8E51E9,6C8E22B5,6C8E1EC9,?,6C8E2101,?,00000001,?,?,00000001,?,6C911EC0,0000000C,6C8E21FA), ref: 6C8E52E6
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C8E52F4
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C8E530D
                        • SetLastError.KERNEL32(00000000,6C8E2101,?,00000001,?,?,00000001,?,6C911EC0,0000000C,6C8E21FA,?,00000001,?), ref: 6C8E535F
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: a7c8b112924b2aa0fa1298826fe7935de4cd47b30cb4e9d4817ca39196be6dcb
                        • Instruction ID: 67f7c79b4e6674462c54849eba8138052d344b259a15c539b8f5fa060a9941da
                        • Opcode Fuzzy Hash: a7c8b112924b2aa0fa1298826fe7935de4cd47b30cb4e9d4817ca39196be6dcb
                        • Instruction Fuzzy Hash: 3B01B53274D71D9E973016BA6E4664A3764EB0F77C734077EE22087DD0EFA14805D990
                        Function 2DE042F4 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCR90 ref: 2DE0430C
                          • Part of subcall function 2DE041B0: SetLastError.KERNEL32(?), ref: 2DE042E5
                        • GetLastError.KERNEL32 ref: 2DE04371
                        • CloseHandle.KERNEL32(?), ref: 2DE0437C
                        • SetLastError.KERNEL32(00000000), ref: 2DE04383
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$CloseHandlememset
                        • String ID: <$print
                        • API String ID: 637397322-3177634819
                        • Opcode ID: 18d370b77e54d34ebe53159cfae541cdeb08ff4bf82062987019277edca8232a
                        • Instruction ID: fcf8abda46fda7240f698b63cce29f223ea9272e953617a6dbfc18840b0ab5e2
                        • Opcode Fuzzy Hash: 18d370b77e54d34ebe53159cfae541cdeb08ff4bf82062987019277edca8232a
                        • Instruction Fuzzy Hash: F2110776900209EFCB01DFA8D985ACEBBF8FF48741F105115FA05F7240EA359A40CB94
                        Function 2DE15D40 Relevance: 9.1, APIs: 6, Instructions: 51windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetFocus.USER32 ref: 2DE15D44
                        • GetParent.USER32(00000000), ref: 2DE15D6C
                          • Part of subcall function 2DE15C0F: GetWindowLongA.USER32(?,000000F0), ref: 2DE15C2E
                          • Part of subcall function 2DE15C0F: GetClassNameA.USER32(?,?,0000000A), ref: 2DE15C43
                          • Part of subcall function 2DE15C0F: lstrcmpiA.KERNEL32(?,combobox), ref: 2DE15C52
                        • GetWindowLongA.USER32(?,000000F0), ref: 2DE15D87
                        • GetParent.USER32(?), ref: 2DE15D95
                        • GetDesktopWindow.USER32 ref: 2DE15D99
                        • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 2DE15DAD
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
                        • String ID:
                        • API String ID: 2818563221-0
                        • Opcode ID: 1a3ad4a00d918fdb247f9d954a4a716af5aff6d572be12d0044c2225596d024f
                        • Instruction ID: a9e3dff40b9d7885f04898d4581539cacfa45017e541848d1718740af7ea2004
                        • Opcode Fuzzy Hash: 1a3ad4a00d918fdb247f9d954a4a716af5aff6d572be12d0044c2225596d024f
                        • Instruction Fuzzy Hash: A901813330129227D7112A65DD8CBBF26FEAB81A55F510129FF06FA280DF69DC419264
                        Function 2DE186E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Office\14.0\Common\FilesPaths,00000000,00020019,?,?,00000000), ref: 2DE18736
                        • RegQueryValueExW.ADVAPI32(?,mso.dll,00000000,00000000,?,00000208,?,00000000), ref: 2DE18757
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 2DE1876B
                        Strings
                        • Software\Microsoft\Office\14.0\Common\FilesPaths, xrefs: 2DE1871A
                        • mso.dll, xrefs: 2DE1874C
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Software\Microsoft\Office\14.0\Common\FilesPaths$mso.dll
                        • API String ID: 3677997916-1420724145
                        • Opcode ID: f60ce6fccb4e41d6652ac2e8efa62d5778fec80625394eea3dd066dfe61d73ae
                        • Instruction ID: 6e084b46f3e811a975964d34db1a303380612177b0176f1329720a750f69ae28
                        • Opcode Fuzzy Hash: f60ce6fccb4e41d6652ac2e8efa62d5778fec80625394eea3dd066dfe61d73ae
                        • Instruction Fuzzy Hash: 2C215B71A4011DAADB10DF64CCC8BEAB7B8EB64345F0046A6A21AF2150DE708E90DBA0
                        Function 6C8E6382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,6C8E6445,6C8E500A,?,?,00000000,?,6C8E64F7,00000002,FlsGetValue,6C906D98), ref: 6C8E6413
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-
                        • API String ID: 3664257935-2084034818
                        • Opcode ID: 42b66682f1f154d58d526ced92cba26035bb1f8cb7ac4320695baef49c50b17c
                        • Instruction ID: 66915d7ac3e53f5cf78192822b41aa98a8abba9ac046521018d9c8873f90907e
                        • Opcode Fuzzy Hash: 42b66682f1f154d58d526ced92cba26035bb1f8cb7ac4320695baef49c50b17c
                        • Instruction Fuzzy Hash: 5C11A731B49629A7DF325A698D4078F33B49F1B778F250A24EA14EB681D760E9008AD1
                        Function 6C8E6E26 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,7B4BA14C,?,?,00000000,6C903507,000000FF,?,6C8E6DB6,?,?,6C8E6D8A,00000000), ref: 6C8E6E5B
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C8E6E6D
                        • FreeLibrary.KERNEL32(00000000,?,00000000,6C903507,000000FF,?,6C8E6DB6,?,?,6C8E6D8A,00000000), ref: 6C8E6E8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 309bd2f8ecd0f033c3f5e627d8912b0d7481c4dcd0ae5b5dee575592929616d7
                        • Instruction ID: aff7f97e327a09b86bc895ffac06d3a311c58ee15ed13281eb15e099f43961fd
                        • Opcode Fuzzy Hash: 309bd2f8ecd0f033c3f5e627d8912b0d7481c4dcd0ae5b5dee575592929616d7
                        • Instruction Fuzzy Hash: 62018F31B08619EFDB118F50CD05BAE7BB8FB59655F200A2DE921E6A80DB34E900CE40
                        Function 2DE05BEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        • _stricmp.MSVCR90(?,IPM.Conflict.Message), ref: 2DE05C06
                        • _stricmp.MSVCR90(?,IPM.Conflict.Folder), ref: 2DE05C16
                        • _stricmp.MSVCR90(?,?), ref: 2DE05C2A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: _stricmp
                        • String ID: IPM.Conflict.Folder$IPM.Conflict.Message
                        • API String ID: 2884411883-576266925
                        • Opcode ID: 564cbe624c09ca8c227525b9305e26052e260498469267e899f1e8d5fbd803a5
                        • Instruction ID: c97715b8df6266089f91de3113929b6bae2433a7a4c94a12d4d54910a65067c8
                        • Opcode Fuzzy Hash: 564cbe624c09ca8c227525b9305e26052e260498469267e899f1e8d5fbd803a5
                        • Instruction Fuzzy Hash: E4F0123361421E6EDB059E54EC41AA537D4DB052B3F108036FA04FA0A1DF31E520DB94
                        Function 2DE0D31D Relevance: 7.6, APIs: 6, Instructions: 146stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: freemalloc$ByteCharMultiWidelstrlen
                        • String ID:
                        • API String ID: 4100972401-0
                        • Opcode ID: 102c381f2fc540e0f038b68253f69bba324e2bed05107579eaea646f6cd13b81
                        • Instruction ID: 26a3426ecc2a8f34f61077ba64bc92ea1fb9ce682320a2d090f25e135ba90bad
                        • Opcode Fuzzy Hash: 102c381f2fc540e0f038b68253f69bba324e2bed05107579eaea646f6cd13b81
                        • Instruction Fuzzy Hash: 0941BF71500205EFCB16CF64CC84AAE7BB9FF84752F20465AF552F6281EB76E950CB60
                        Function 2DE08126 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE0812D
                          • Part of subcall function 2DE06995: LoadCursorA.USER32(00000000,?), ref: 2DE069A0
                          • Part of subcall function 2DE06995: SetCursor.USER32(00000000), ref: 2DE069A7
                        • MessageBoxW.USER32(00000005,?,?,00000134), ref: 2DE0820B
                        • GetWindowRect.USER32(00000003,?), ref: 2DE08260
                        • PostMessageA.USER32(00000003,00000111,0000891C,00000000), ref: 2DE082BA
                        • SetCursor.USER32(?), ref: 2DE082F2
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Cursor$Message$H_prolog3_catchLoadPostRectWindow
                        • String ID:
                        • API String ID: 4269587068-0
                        • Opcode ID: eede814cac093db274cd42a96288956f70f4508ceef63e869826cbc2612dfb86
                        • Instruction ID: edbaf0299842b7f1dcc832f9f4eff0489452ccf26f7a0b469851212eb6380468
                        • Opcode Fuzzy Hash: eede814cac093db274cd42a96288956f70f4508ceef63e869826cbc2612dfb86
                        • Instruction Fuzzy Hash: 69518D70904649EFDB01EBE0C989BAEBBB5FF14305F50445CE25AB7291DF74AA05CB21
                        Function 2DE06E33 Relevance: 7.6, APIs: 5, Instructions: 85windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE06E3A
                          • Part of subcall function 2DE06995: LoadCursorA.USER32(00000000,?), ref: 2DE069A0
                          • Part of subcall function 2DE06995: SetCursor.USER32(00000000), ref: 2DE069A7
                        • SetCursor.USER32(?), ref: 2DE06E9B
                        • SetCursor.USER32(?), ref: 2DE06EC4
                        • GetWindowRect.USER32(?,?), ref: 2DE06ED5
                        • PostMessageA.USER32(?,00000111,0000891C,00000000), ref: 2DE06F25
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Cursor$H_prolog3LoadMessagePostRectWindow
                        • String ID:
                        • API String ID: 4037273543-0
                        • Opcode ID: 156ed51494b0159286956f793ebb0e94bf0f997a6d6818c495b087d76b2e3195
                        • Instruction ID: 86eb4a21c072395de83c148fb0e06717df5be47f85e98d512a6da6a8f2c24c40
                        • Opcode Fuzzy Hash: 156ed51494b0159286956f793ebb0e94bf0f997a6d6818c495b087d76b2e3195
                        • Instruction Fuzzy Hash: 82317C70604645EFCB019FA0C988AAEBBF5FF58706F01445CE256BB2A1DF75AA05CB11
                        Function 2DE08A57 Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE08A5E
                        • ??_U@YAPAXI@Z.MSVCR90(00001000), ref: 2DE08ACD
                          • Part of subcall function 2DE13812: Mailbox.LIBCMT ref: 2DE159AE
                        • WriteFile.KERNEL32(000000FF,?,?,2DE0224C,00000000), ref: 2DE08B01
                        • CloseHandle.KERNEL32(000000FF), ref: 2DE08B2F
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE08B3C
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseFileH_prolog3_catchHandleMailboxWrite
                        • String ID:
                        • API String ID: 1130278343-0
                        • Opcode ID: 065bb4f6139d51091db4575a76bd8ca3d7e67ee927b7c07f13cce97f0ccf0df5
                        • Instruction ID: 8334981f4ead742b9e58342f37ae7b1a3e668adbd2ec2c5f321c2e3d955baca1
                        • Opcode Fuzzy Hash: 065bb4f6139d51091db4575a76bd8ca3d7e67ee927b7c07f13cce97f0ccf0df5
                        • Instruction Fuzzy Hash: 163169B5900109EFDF05AFA4CC85EAEBBB8FF18765F108119F625B6290CB358E00CB60
                        Function 2DE0D4A0 Relevance: 7.6, APIs: 6, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 3a960de938612066f142219ca59dfcf8434106141cde5a3ec68a2566a8e3164c
                        • Instruction ID: b1fedd88a8861667a14835a3b2191d6bc744d4d315d07332eda2730f4a389a20
                        • Opcode Fuzzy Hash: 3a960de938612066f142219ca59dfcf8434106141cde5a3ec68a2566a8e3164c
                        • Instruction Fuzzy Hash: 23218372A00109EFDF058F54D880A6DBBB5FF4036AF208066ED04BA651DF72E990DB90
                        Function 2DE04391 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 76COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(00000000), ref: 2DE0444B
                          • Part of subcall function 2DE042F4: memset.MSVCR90 ref: 2DE0430C
                        • GetLastError.KERNEL32 ref: 2DE0441B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$memset
                        • String ID: k2ub$l2ub$m2ub
                        • API String ID: 4054172246-710509214
                        • Opcode ID: 168d225024a1194765b8a9f4d278713f5513f8ca819256893d0824a40027fd85
                        • Instruction ID: 32d4356d281ed8dcb7d7dc82b16cd82833e8e83e67c045396158fe5e85a35737
                        • Opcode Fuzzy Hash: 168d225024a1194765b8a9f4d278713f5513f8ca819256893d0824a40027fd85
                        • Instruction Fuzzy Hash: 2A212F7290051CFBCB02AFA5CE44EDEBBB9EFA4652F128061F611B7120DB758E52DB50
                        Function 2DE12319 Relevance: 7.6, APIs: 5, Instructions: 55threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • CallNextHookEx.USER32(?,?,?,?), ref: 2DE12336
                        • CallNextHookEx.USER32(?,00000003,?,?), ref: 2DE1237D
                        • UnhookWindowsHookEx.USER32(?), ref: 2DE12388
                        • GetCurrentThreadId.KERNEL32 ref: 2DE1239D
                        • SetWindowsHookExA.USER32(00000004,Function_00011CD5,00000000,00000000), ref: 2DE123AD
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Hook$CallNextWindows$CurrentErrorH_prolog3LastThreadUnhook
                        • String ID:
                        • API String ID: 2915796353-0
                        • Opcode ID: 35c89ffeb11118563167a88b60114744a4bbe5544c6afa1e357258ae295a485a
                        • Instruction ID: c28a60bc6b8884df7cd784d2ba1559001dc12b6a8d6cd3893b405f497c109756
                        • Opcode Fuzzy Hash: 35c89ffeb11118563167a88b60114744a4bbe5544c6afa1e357258ae295a485a
                        • Instruction Fuzzy Hash: 6D116A72200306EFDB128F60CD89B5A7BB4FF08756F009428FA47AA661CB75E950CF14
                        Function 2DE12A2D Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: EnableFocus$ItemMenuParentWindow
                        • String ID:
                        • API String ID: 783553715-0
                        • Opcode ID: 9f8541068dd6dc94525ba4672cc3b61b7697c0c0e761181a845f1e7ddec6c45b
                        • Instruction ID: 88973a2d0e5b55169448c28d145a71a65d5d1818f7eed4389f02d1b716188759
                        • Opcode Fuzzy Hash: 9f8541068dd6dc94525ba4672cc3b61b7697c0c0e761181a845f1e7ddec6c45b
                        • Instruction Fuzzy Hash: 1D018E31200A00AFCB255F60CD0AB59BBF8FF00751F018629F606B66A0CB75E894CB94
                        Function 2DE0510C Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassObjectRevokefree$FreeLibrary
                        • String ID:
                        • API String ID: 850073815-0
                        • Opcode ID: 7e6b68fcfdf87aecec1eb33ad95c1fedb728d29ff7b08cbed3d06c4ece7a0601
                        • Instruction ID: e10b1629123d77f3fbe548045d75b7d453761553dcd82b06fb345d40e292ef08
                        • Opcode Fuzzy Hash: 7e6b68fcfdf87aecec1eb33ad95c1fedb728d29ff7b08cbed3d06c4ece7a0601
                        • Instruction Fuzzy Hash: 440156772107029BE7019B24C840BA2B3F9FF44716F610419E516F7290EFB9E820CFA4
                        Function 2DE15C6C Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Text$Unicodefreemalloc
                        • String ID:
                        • API String ID: 1936483696-0
                        • Opcode ID: f43f1784aa5fde6112ff4cb00560f6a6fe0d05d3d38744361f640d88e9ac19f3
                        • Instruction ID: 6e5b87129a65b528b8e9c7a55a91cad700c91ad396529bc23994327376e3a3a8
                        • Opcode Fuzzy Hash: f43f1784aa5fde6112ff4cb00560f6a6fe0d05d3d38744361f640d88e9ac19f3
                        • Instruction Fuzzy Hash: AEF04F36605219BB8B120EA18C48E9B7F79FF45B657008115F905AA210DA36D911DAA4
                        Function 2DE15CD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Text$Unicodefreemalloc
                        • String ID:
                        • API String ID: 1936483696-0
                        • Opcode ID: 23b2954ff4199587148b1173ab37ec70c897069216bfba93d2a17cc605535660
                        • Instruction ID: d7483974c5e49b9004eec7edfc8ef93c524ba96cb70139aa195c049263fa7e0a
                        • Opcode Fuzzy Hash: 23b2954ff4199587148b1173ab37ec70c897069216bfba93d2a17cc605535660
                        • Instruction Fuzzy Hash: 08F01236604249BFCF011FA5DC48E9B3FB9EB497A57008429F916E6210DB36C911DB64
                        Function 2DE04896 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                        Download Yara Rule
                        APIs
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE049C3
                          • Part of subcall function 2DE0F52B: malloc.MSVCR90 ref: 2DE0F531
                        • memmove.MSVCR90(?,?,?), ref: 2DE04991
                        • memmove.MSVCR90(?,8007000E,?), ref: 2DE049A6
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: memmove$malloc
                        • String ID: jsr9
                        • API String ID: 3263852767-1633979662
                        • Opcode ID: a3486c3d2975eaa75eb20887dc8753533e0c63cf0bf5078e67d4f5d0abe642be
                        • Instruction ID: 6e192201dfb37d2482f8a0568231fc8ff6e71942eca15cd59e15a66f7f9b6c00
                        • Opcode Fuzzy Hash: a3486c3d2975eaa75eb20887dc8753533e0c63cf0bf5078e67d4f5d0abe642be
                        • Instruction Fuzzy Hash: 58419F71A00605EBCB11CF59CA8095EBBF9FF90355B61C92EE59AFB610DB70EA41CB40
                        Function 2DE14385 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE1438C
                        • GetWindowLongA.USER32(?,000000F0), ref: 2DE143BB
                        • GetParent.USER32(?), ref: 2DE143CB
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3_catchLongParentWindow
                        • String ID: 0
                        • API String ID: 944585138-4108050209
                        • Opcode ID: 6b51049e77c5a2b1e6da7dd6e4f6b296ee358181ea833fd8f6afe21c6304d70a
                        • Instruction ID: e9e01260f8d2c0dd0c0dad1adbd453b757f0624aea5a49ffb55767f54dd5c776
                        • Opcode Fuzzy Hash: 6b51049e77c5a2b1e6da7dd6e4f6b296ee358181ea833fd8f6afe21c6304d70a
                        • Instruction Fuzzy Hash: A3214271A0420ADBCF02EFA0C580B9E7BB0BF14314F218159EA16BB290DB75EE45CB91
                        Function 2DE04B08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE04873: ??_V@YAXPAX@Z.MSVCR90(?,?,2DE04B1B), ref: 2DE04883
                        • GetACP.KERNEL32 ref: 2DE04B25
                        • WideCharToMultiByte.KERNEL32(?,?,?,000000FF,00000000,00000000,00000000,00000000), ref: 2DE04B44
                        • WideCharToMultiByte.KERNEL32(?,?,?,000000FF,?,00000001,00000000,00000000), ref: 2DE04B8A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide
                        • String ID: dk29
                        • API String ID: 626452242-1677150192
                        • Opcode ID: 11c2cbd667b4cf0c70a0a35ab4e3ba7df2591af1eaef450e96d98d3f3a7229af
                        • Instruction ID: 3b3a2af78c5c2a758df7fdcd4d5bab2e279977188fe99c955053a26d8ca23841
                        • Opcode Fuzzy Hash: 11c2cbd667b4cf0c70a0a35ab4e3ba7df2591af1eaef450e96d98d3f3a7229af
                        • Instruction Fuzzy Hash: B3113A72904118BBCF119F96CD44DDF7FBDEF85765B10825AF924B6160DA318A00DF60
                        Function 2DE0FFF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE10000
                        • GetModuleHandleW.KERNEL32(mso.dll,0000001C,2DE100FB,00000000,?,?,00000000,00000000,?,?,2DE0FD52,?,00000000,?,?,?), ref: 2DE10075
                          • Part of subcall function 2DE04CF2: LoadStringW.USER32(?,?,?,00000100), ref: 2DE04D3C
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3_catchHandleLoadModuleString
                        • String ID: mso.dll
                        • API String ID: 2579502969-1671880577
                        • Opcode ID: 5436407f10b8e63190d7fc7ff4490c1d8da8ace9c57a40dc70de2d196e56ba3f
                        • Instruction ID: 889d5d27780fe0916f7260d7ff1ceb7c582232b4988a3270ad43a65f9f92a5c6
                        • Opcode Fuzzy Hash: 5436407f10b8e63190d7fc7ff4490c1d8da8ace9c57a40dc70de2d196e56ba3f
                        • Instruction Fuzzy Hash: 2111AC32A04149EACB01DFA0C905BDE3BB0EF24761F268114F961B7290CF38DE10DBA1
                        Function 2DE08ED9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 2DE08EEB
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 2DE08EF9
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Time$System$File
                        • String ID: @$@
                        • API String ID: 2838179519-149943524
                        • Opcode ID: 6cf0c7d42f7a0f5d63c12c7d778d2b5ed957bf44b43d72727b4d61d67ed7a8d8
                        • Instruction ID: 69efd7ca8a87e14b0ed6d0119b97ff52ca28bed46dc92cc84d8642b9caf7b633
                        • Opcode Fuzzy Hash: 6cf0c7d42f7a0f5d63c12c7d778d2b5ed957bf44b43d72727b4d61d67ed7a8d8
                        • Instruction Fuzzy Hash: 7911E271A11229ABDB00DFA4C889FDEBBB8FF08651F004459FA55F7240DB74E900CBA4
                        Function 2DE05264 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconA.USER32(00000000,00007F00), ref: 2DE0529A
                        • LoadCursorA.USER32(00000000,00007F00), ref: 2DE052A5
                        • GetStockObject.GDI32(00000000), ref: 2DE052AF
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Load$CursorIconObjectStock
                        • String ID: Cnfnot_ClassFactory
                        • API String ID: 3711576554-2905417136
                        • Opcode ID: 12298d52779bf7885af703f20a8aa1c4a096525a430f2ac7f231a9465213ffe2
                        • Instruction ID: 4b6ea87d5abe8fa19cea1f4ba34deefdda2b006f51061f19b668fb8050268535
                        • Opcode Fuzzy Hash: 12298d52779bf7885af703f20a8aa1c4a096525a430f2ac7f231a9465213ffe2
                        • Instruction Fuzzy Hash: FF011A72C05218AFCB059FEA88846EEFAFCEF59612B10416BD501F7214D6788500CFA4
                        Function 2DE15C0F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongA.USER32(?,000000F0), ref: 2DE15C2E
                        • GetClassNameA.USER32(?,?,0000000A), ref: 2DE15C43
                        • lstrcmpiA.KERNEL32(?,combobox), ref: 2DE15C52
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassLongNameWindowlstrcmpi
                        • String ID: combobox
                        • API String ID: 2054663530-2240613097
                        • Opcode ID: 24e7308367cef179a738491327c7cdfbe4fbd040d14787d67a9d9650722ba2b1
                        • Instruction ID: 5eab60a80366cd03ed63695aa5b60ebd6a6c005035ddc7147f26fb50dec9e2f0
                        • Opcode Fuzzy Hash: 24e7308367cef179a738491327c7cdfbe4fbd040d14787d67a9d9650722ba2b1
                        • Instruction Fuzzy Hash: 48F09032A15129ABCB01EFA4CC45FBE73F8EB09A52B404915F413FB180DB38EA05C799
                        Function 6C8F389F Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleOutputCP.KERNEL32(7B4BA14C,00000000,00000000,?), ref: 6C8F3902
                          • Part of subcall function 6C8F9E65: WideCharToMultiByte.KERNEL32(00000000,00000000,6C8E66A1,?,6C8E6732,00000016,6C8EEE89,0000FDE9,?,?,00000008,?,00000003,6C912580,00000024,6C8EEE89), ref: 6C8F9F11
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C8F3B5D
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C8F3BA5
                        • GetLastError.KERNEL32 ref: 6C8F3C48
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: 6af723fb12bf04ad4f7bb67a8875f4b4564badd2dc5a33cde84b03704c64abe1
                        • Instruction ID: ef43057a3b87706c37102e9e60860871ad562f3aacb5c6e56d3862140c8a6542
                        • Opcode Fuzzy Hash: 6af723fb12bf04ad4f7bb67a8875f4b4564badd2dc5a33cde84b03704c64abe1
                        • Instruction Fuzzy Hash: DCD18AB5E04258AFCF21CFA8C9809EDBBB4FF49354F24492AE865E7741D730A942CB51
                        Function 2DE05DB3 Relevance: 6.3, APIs: 4, Instructions: 295COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3_catch_
                        • String ID:
                        • API String ID: 1329019490-0
                        • Opcode ID: 7360c6e30741ed6b5eb31e508070f5b12bd1e179eac239ab21476f343b717299
                        • Instruction ID: 7f42ca27ae2b62e7484bff029b029217e6590823b0b58a4b13a545285ab1e62b
                        • Opcode Fuzzy Hash: 7360c6e30741ed6b5eb31e508070f5b12bd1e179eac239ab21476f343b717299
                        • Instruction Fuzzy Hash: BAC18B709082A89BDB65DBA4CD88BADB7B1EF24305F2141D8E259771A1DF349F84CF21
                        Function 6C8E53EF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 9257d1621bb0751cd862e4fd31310406f2f9a989b7c9923925f4bfc74e253ae0
                        • Instruction ID: b7ed8f2dff8231e7340c0c7a5bb5db15518345f6df8ab9ac9cc4e2fd957ab8c3
                        • Opcode Fuzzy Hash: 9257d1621bb0751cd862e4fd31310406f2f9a989b7c9923925f4bfc74e253ae0
                        • Instruction Fuzzy Hash: E751D1B2606706AFDB358F98CA40BAA77B5EF4F319F200D2DD91647A90D731E841CB50
                        Function 6C8F6ABA Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7303fbe36ea327d128f4b038bfbf65970523db64ddd13426118725476800c869
                        • Instruction ID: 1d9b75dfb460a5b1850d5d3118d5f5de169ca54a9e0f37300efd4fcc73a437a6
                        • Opcode Fuzzy Hash: 7303fbe36ea327d128f4b038bfbf65970523db64ddd13426118725476800c869
                        • Instruction Fuzzy Hash: 9641F471A00608BFD7249F78CA45B9EBBA9FB89754F104A39E121DBB80D771E5068790
                        Function 6C8FA0B1 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F9E65: WideCharToMultiByte.KERNEL32(00000000,00000000,6C8E66A1,?,6C8E6732,00000016,6C8EEE89,0000FDE9,?,?,00000008,?,00000003,6C912580,00000024,6C8EEE89), ref: 6C8F9F11
                        • GetLastError.KERNEL32 ref: 6C8FA115
                        • __dosmaperr.LIBCMT ref: 6C8FA11C
                        • GetLastError.KERNEL32(?,?,?,?), ref: 6C8FA156
                        • __dosmaperr.LIBCMT ref: 6C8FA15D
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                        • String ID:
                        • API String ID: 1913693674-0
                        • Opcode ID: 8336a423ae6d250c2e2008bb35c6ae4307023f1527a4567751b9252e783df40d
                        • Instruction ID: 099595fa6fc7ef70c72ebba3d15c414ccfc57b7c4b43183826d0354d89dbf63d
                        • Opcode Fuzzy Hash: 8336a423ae6d250c2e2008bb35c6ae4307023f1527a4567751b9252e783df40d
                        • Instruction Fuzzy Hash: 7321CB31604209AFD7309F6ACA808DB77B9FF453B87054D29E935D7A40D731EC428790
                        Function 2DE12240 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadResource.KERNEL32(2DE00000,00000000,2DE00000,?,000000F0), ref: 2DE1227A
                        • LockResource.KERNEL32(00000000), ref: 2DE12288
                        • SendDlgItemMessageA.USER32(00000001,?,?,00000000,00000000), ref: 2DE122D8
                        • FreeResource.KERNEL32(?), ref: 2DE122F0
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Resource$FreeItemLoadLockMessageSend
                        • String ID:
                        • API String ID: 3233515012-0
                        • Opcode ID: 54da911226e47677987d5c6859ecad6d1b87d98b962e3868688c034d0c492007
                        • Instruction ID: f0192012aa7517954cac57fad6016d4dd89499323d05f548ad05468c3b23549f
                        • Opcode Fuzzy Hash: 54da911226e47677987d5c6859ecad6d1b87d98b962e3868688c034d0c492007
                        • Instruction Fuzzy Hash: 46217172600114BFDB119F98CC85ABE77ECEB05355B90C026FA86F7240DA75DE41EBA4
                        Function 6C8EEED9 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e4b36e52201d0b8c762c638dd5f5c9d25d0eb0067c5259e48fa6c9cc3d15aac
                        • Instruction ID: c00cf421491467611821c28f5d632ec0774aab896f9fa64188704cb55fd0d2bd
                        • Opcode Fuzzy Hash: 3e4b36e52201d0b8c762c638dd5f5c9d25d0eb0067c5259e48fa6c9cc3d15aac
                        • Instruction Fuzzy Hash: 40218431608209BFDB309FA9DE8089A7B69FF4B3687054D64F958D7A50D731EC5487E0
                        Function 6C8FB060 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 6C8FB068
                          • Part of subcall function 6C8F9E65: WideCharToMultiByte.KERNEL32(00000000,00000000,6C8E66A1,?,6C8E6732,00000016,6C8EEE89,0000FDE9,?,?,00000008,?,00000003,6C912580,00000024,6C8EEE89), ref: 6C8F9F11
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C8FB0A0
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C8FB0C0
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                        • String ID:
                        • API String ID: 158306478-0
                        • Opcode ID: c645e2874e295e78daad5a8bda7e2139117be2c1af6573837fe2885275b25a83
                        • Instruction ID: cd0bcbd076bdd10e91cbfac5ad5e9f6a6c5a22cd161111c232e4b91c7296aae2
                        • Opcode Fuzzy Hash: c645e2874e295e78daad5a8bda7e2139117be2c1af6573837fe2885275b25a83
                        • Instruction Fuzzy Hash: 261182A1709519FFA73116BA9E88CBF697DDF861D83100939F42191600EF649D0646B9
                        Function 2DE04B96 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE04873: ??_V@YAXPAX@Z.MSVCR90(?,?,2DE04B1B), ref: 2DE04883
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 2DE04BF9
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 2DE04C39
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide
                        • String ID: ek29$pq8e
                        • API String ID: 626452242-1107266725
                        • Opcode ID: ce4bb88f205e0af481b9bfe892d5e043abb8357571322b4b005d7a6b3fe14bf0
                        • Instruction ID: be86faf887ee6353c6523344bb696ce9baeb0910394add7470d99ebaf3857a78
                        • Opcode Fuzzy Hash: ce4bb88f205e0af481b9bfe892d5e043abb8357571322b4b005d7a6b3fe14bf0
                        • Instruction Fuzzy Hash: F511AFB2904118BFDF01AF95CDC0CAE7FBDFF052A6B208126F619B2150EA318E51DB60
                        Function 2DE04F8C Relevance: 6.1, APIs: 4, Instructions: 66timeCOMMON
                        Download Yara Rule
                        APIs
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 2DE04FAA
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 2DE04FB8
                        • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,?), ref: 2DE04FD0
                        • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,?), ref: 2DE05018
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Time$File$Format$DateLocalSystem
                        • String ID:
                        • API String ID: 4010208002-0
                        • Opcode ID: 55d76e91ffc06cb61a2d4dba41318085536051da4817d29b16013b24dcfb9706
                        • Instruction ID: f38912fda9bd5f074ee0737b4064089315bde1cc702859d34c9f6b714a09bcab
                        • Opcode Fuzzy Hash: 55d76e91ffc06cb61a2d4dba41318085536051da4817d29b16013b24dcfb9706
                        • Instruction Fuzzy Hash: 511160776102096BDB10CBA4CD45FEB77BDEF49B0AF018021EA06F7281DA709941C7E0
                        Function 2DE1199D Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowEnabled.USER32(00000000), ref: 2DE119AD
                        • EnableWindow.USER32(00000000,00000001), ref: 2DE119DA
                          • Part of subcall function 2DE13955: IsWindow.USER32(?), ref: 2DE1397E
                          • Part of subcall function 2DE13955: EnableWindow.USER32(?,00000001), ref: 2DE13990
                          • Part of subcall function 2DE13955: ??_V@YAXPAX@Z.MSVCR90(?,00000000,00000000,?,2DE119D5,?,?,?,2DE11DC9,?,?,00000034,2DE07728,?,?,?), ref: 2DE139A8
                        • GetWindowLongA.USER32(00000000,000000F0), ref: 2DE119E5
                        • SendMessageA.USER32(?,0000036E,?,?), ref: 2DE11A2A
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Enable$EnabledLongMessageSend
                        • String ID:
                        • API String ID: 2621221260-0
                        • Opcode ID: bb32262985773ac4c274de814cd8d7655f76918331de0e9f2c0d111f52b75e43
                        • Instruction ID: ed0aa6e6f5bd644c96fbd842ebb37869c49961a97d3258602a31e6ba4ec09716
                        • Opcode Fuzzy Hash: bb32262985773ac4c274de814cd8d7655f76918331de0e9f2c0d111f52b75e43
                        • Instruction Fuzzy Hash: CB11E131714A05AFDF124F64C845BAE7AF5EB40A95F10812AE22AFA250EF32DD40CB00
                        Function 2DE11920 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetTopWindow.USER32(?), ref: 2DE1192E
                        • GetTopWindow.USER32(00000000), ref: 2DE1196D
                        • GetWindow.USER32(00000000,00000002), ref: 2DE1198B
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window
                        • String ID:
                        • API String ID: 2353593579-0
                        • Opcode ID: b729a9e4a16570d845ed4569ce66a9d6bb9f616785952e555f7525a1062118bb
                        • Instruction ID: fec8727d7d8e7ba6ea117a30a31bb2514799f35f5b82e6184f2dab452ec24182
                        • Opcode Fuzzy Hash: b729a9e4a16570d845ed4569ce66a9d6bb9f616785952e555f7525a1062118bb
                        • Instruction Fuzzy Hash: 6801E53620411ABBCF135F909C04F9E3B6AFF183D1F018010FA29B5160CB36CA61EBA5
                        Function 2DE1137C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceW.KERNEL32(2DE00000,?,00000005,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113A3
                        • LoadResource.KERNEL32(2DE00000,00000000,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113AF
                        • LockResource.KERNEL32(?,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113C0
                        • FreeResource.KERNEL32(?,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113DF
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Resource$FindFreeLoadLock
                        • String ID:
                        • API String ID: 1078018258-0
                        • Opcode ID: a8efbe4908ec1c30af3138e6126bc090e3f7a193e84cd5ac370c438b2d57004a
                        • Instruction ID: a83c390b76d7d32bf5f5ba7546a353102d56c1239423eb3a03057b618e331e4a
                        • Opcode Fuzzy Hash: a8efbe4908ec1c30af3138e6126bc090e3f7a193e84cd5ac370c438b2d57004a
                        • Instruction Fuzzy Hash: 10012633305D509FC7032BA288C8A7A33F8AF4561E703416DEA42FB605EB76CD428794
                        Function 2DE111CF Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(000088C4,?), ref: 2DE111DA
                        • GetTopWindow.USER32(00000000), ref: 2DE111ED
                          • Part of subcall function 2DE111CF: GetWindow.USER32(00000000,00000002), ref: 2DE11234
                        • GetTopWindow.USER32(000088C4), ref: 2DE1121D
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Item
                        • String ID:
                        • API String ID: 369458955-0
                        • Opcode ID: 0ed834fd8d47b5b5f2f938f65daeef79185cd43fddb9785e295095d7fe1ff936
                        • Instruction ID: 78caea8ff3a2c42641585fb84a70031ac7c1f5089cf3231b375ab8e39500d269
                        • Opcode Fuzzy Hash: 0ed834fd8d47b5b5f2f938f65daeef79185cd43fddb9785e295095d7fe1ff936
                        • Instruction Fuzzy Hash: 60014B36305626A7CB132E618C00F9E3AA9AF157D5F018020FE04F5111EF35DE51E6E9
                        Function 2DE11A35 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • GetLastActivePopup.USER32(?), ref: 2DE11A66
                        • GetForegroundWindow.USER32(00000000,?,?,2DE11DE0,?,?,00000034,2DE07728,?,?,?), ref: 2DE11A78
                        • IsWindowEnabled.USER32(?), ref: 2DE11A8B
                        • SetForegroundWindow.USER32(?), ref: 2DE11A98
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Foreground$ActiveEnabledLastPopup
                        • String ID:
                        • API String ID: 3209796547-0
                        • Opcode ID: fec151bf59149b915f30028da6df567905d8e51527dcf3a3a4c1db77088edd60
                        • Instruction ID: 4237eff81fc594085150e6e58ff0ff235704687a9804344f421f4b2d54d88b24
                        • Opcode Fuzzy Hash: fec151bf59149b915f30028da6df567905d8e51527dcf3a3a4c1db77088edd60
                        • Instruction Fuzzy Hash: 3CF0A432B09B01EFDF115B60E80866A7BE8AF00756B01C124E625F4050CFB9CD48CB90
                        Function 2DE1416D Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: DeleteObject$H_prolog3
                        • String ID:
                        • API String ID: 2471701793-0
                        • Opcode ID: 5755b9e2f4bf303a9d8c68cd99a4ca2b5906f1947a79675eecd3f6a190e20cb5
                        • Instruction ID: 38ace634ff8e6bf6bb9e00150678546841b3af3d9f301dc73749b2e9d0ecd5db
                        • Opcode Fuzzy Hash: 5755b9e2f4bf303a9d8c68cd99a4ca2b5906f1947a79675eecd3f6a190e20cb5
                        • Instruction Fuzzy Hash: B6F03C71B00710CBCB10EFA9888051EF6F5BF68614B610A2DE29AF7750CF70ED408A45
                        Function 2DE15923 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE1592A
                        • GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • TlsGetValue.KERNEL32(0000000D,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15955
                        • SetLastError.KERNEL32(00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15984
                          • Part of subcall function 2DE15E13: TlsAlloc.KERNEL32(00000000,?,2DE15946,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15E1B
                          • Part of subcall function 2DE15E13: GetVersion.KERNEL32(?,2DE15946,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15E1F
                          • Part of subcall function 2DE15E13: TlsAlloc.KERNEL32(?,2DE15946,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15E32
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AllocErrorLast$H_prolog3ValueVersion
                        • String ID:
                        • API String ID: 2925315393-0
                        • Opcode ID: 313e1bb0cc4c6370f46f50a6be960fbc810c3b6ece0fc85aff8293679f3325a7
                        • Instruction ID: f5c9f16dda4a944d973ccb3fadc4225e0d58409ec143351d6e5ce2369c46e43b
                        • Opcode Fuzzy Hash: 313e1bb0cc4c6370f46f50a6be960fbc810c3b6ece0fc85aff8293679f3325a7
                        • Instruction Fuzzy Hash: 93F03072B142118FC745ABB88845B7D26F0AB18F75B510715EA3AFB3C0DF68CE409A56
                        Function 2DE0845B Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(0000000F), ref: 2DE08462
                        • SendMessageA.USER32(?,00000443,00000000,00000000), ref: 2DE0847F
                        • SendMessageA.USER32(?,0000043B,00000000,00000000), ref: 2DE0848B
                        • SendMessageA.USER32(?,00000445,00000000,00000000), ref: 2DE084A8
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: MessageSend$Color
                        • String ID:
                        • API String ID: 3922397608-0
                        • Opcode ID: e1f3708014c83522ad4db5db84b6bfd067d8a4279d37c00a3d55301fab7e63e7
                        • Instruction ID: 412843cd4cedd6ee6d8f9951360010306d7e914bd1480d890d6077efd6b5ec9f
                        • Opcode Fuzzy Hash: e1f3708014c83522ad4db5db84b6bfd067d8a4279d37c00a3d55301fab7e63e7
                        • Instruction Fuzzy Hash: ADF0A771500558B6DA215F12CC08F6B3E6CEBC5FA3F00803AB72879050C6714541CAA5
                        Function 2DE109DE Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • IsWindowUnicode.USER32(?), ref: 2DE109F9
                        • DefWindowProcW.USER32(?,?,?,?), ref: 2DE10A0F
                        • DefWindowProcA.USER32(?,?,?,?), ref: 2DE10A17
                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 2DE10A2C
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Proc$CallUnicode
                        • String ID:
                        • API String ID: 3117573011-0
                        • Opcode ID: 6712436b275561412faa981374861e3c3c1730d9292a5f24fae0e1f0567602e9
                        • Instruction ID: 5ebc51056c884d8a66915a40fdacbe896c621bd537ce56ead9cfa337ac5e82ae
                        • Opcode Fuzzy Hash: 6712436b275561412faa981374861e3c3c1730d9292a5f24fae0e1f0567602e9
                        • Instruction Fuzzy Hash: 06F0BD36200609EFDF129FA5C808E9A7FB9FF087917108418FA56FA521DB36DD24EB54
                        Function 2DE158AB Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE158B2
                        • free.MSVCR90 ref: 2DE158CB
                        • TlsGetValue.KERNEL32(00000004,2DE12DCD,?,?,2DE159B3,00000001,2DE1263C,?,?,?,?,?,?,?,?,?), ref: 2DE158DC
                        • TlsSetValue.KERNEL32(00000000,?,?,2DE159B3,00000001,2DE1263C,?,?,?,?,?,?,?,?,?,?), ref: 2DE158EE
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Value$H_prolog3free
                        • String ID:
                        • API String ID: 3023147540-0
                        • Opcode ID: 3a6368561deb6a86a7c663d617aaf33a15f012b6fb48627a54ab9144929f8cbd
                        • Instruction ID: 248b74dc4971cf6dc8d4a5a4727e44a570cf6467323109d7d320a3340f61b2ff
                        • Opcode Fuzzy Hash: 3a6368561deb6a86a7c663d617aaf33a15f012b6fb48627a54ab9144929f8cbd
                        • Instruction Fuzzy Hash: 83F03771604741CBDB24EBA0C809BA97BF4BB10B15F518529E566B6290DFB4EE04CB18
                        Function 6C901BDC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,6C8E14C0,6C8E899D,00000000,00000000,?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000), ref: 6C901BF3
                        • GetLastError.KERNEL32(?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000,?,?,?,6C8F425A,?), ref: 6C901BFF
                          • Part of subcall function 6C901BC5: CloseHandle.KERNEL32(FFFFFFFE,6C901C0F,?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000,?,?), ref: 6C901BD5
                        • ___initconout.LIBCMT ref: 6C901C0F
                          • Part of subcall function 6C901B87: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C901BB6,6C8FE1E5,?,?,6C8F3C9C,?,00000000,00000000,?), ref: 6C901B9A
                        • WriteConsoleW.KERNEL32(00000000,6C8E14C0,6C8E899D,00000000,?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000,?), ref: 6C901C24
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: 95cc652dccfcac65a12e863cec067dc8de9d4f328d25e40813601fbf0f3a0c88
                        • Instruction ID: b309c99814f12a2892f102d2b34e5215ab7abdc7616bf639a6fb284e7b11d512
                        • Opcode Fuzzy Hash: 95cc652dccfcac65a12e863cec067dc8de9d4f328d25e40813601fbf0f3a0c88
                        • Instruction Fuzzy Hash: 0AF01C36708125BBCF121F91DC05A8D3F7AFB2A7A8B15411CFA19A5920D732C820DF95
                        Function 2DE16019 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15FCC: KiUserCallbackDispatcher.NTDLL(00000002), ref: 2DE15FDE
                          • Part of subcall function 2DE15FCC: GetSystemMetrics.USER32(00000003), ref: 2DE15FE8
                        • GetDC.USER32(00000000), ref: 2DE16025
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 2DE16036
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 2DE1603E
                        • ReleaseDC.USER32(00000000,00000000), ref: 2DE16046
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CapsDevice$CallbackDispatcherMetricsReleaseSystemUser
                        • String ID:
                        • API String ID: 1894321826-0
                        • Opcode ID: ed19f3a8a7568dd4d60e5bd3a194388b818b3a0316d68a6f1a556f99a2e371a5
                        • Instruction ID: 553c4bdd1fff6e8aea2a5325422da035ac18e58c8707a684d20b922f92c956bb
                        • Opcode Fuzzy Hash: ed19f3a8a7568dd4d60e5bd3a194388b818b3a0316d68a6f1a556f99a2e371a5
                        • Instruction Fuzzy Hash: 74E04F726407146AD21017728C48F4BAFECEB58A63F004422F609EB2C1CA7988008EA0
                        Function 6C8D8AA6 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 341COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _strcspn
                        • String ID: @
                        • API String ID: 3709121408-2766056989
                        • Opcode ID: 45ff1ea02da4861ac947a869f1c2c77c226706a496360b41299ae03b691388b4
                        • Instruction ID: 2cab782ab3cfe4054665caf90b1351f9244d5190bb462f25f79e4eb1d28b885d
                        • Opcode Fuzzy Hash: 45ff1ea02da4861ac947a869f1c2c77c226706a496360b41299ae03b691388b4
                        • Instruction Fuzzy Hash: 39E1257190024DDFDF14DFA8DA90AEDBBB5FF09308F12486AE815AB660DB30A955CF50
                        Function 6C8E59EB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6C8E5A10
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: ec1dbb2166079a454f3f48ebb7bc228227eac3d16b51d990e4cf5245dbbbe4d9
                        • Instruction ID: 73de47d5019957da928d8546db45a4e75c998d780900052b135b568dfdb02d72
                        • Opcode Fuzzy Hash: ec1dbb2166079a454f3f48ebb7bc228227eac3d16b51d990e4cf5245dbbbe4d9
                        • Instruction Fuzzy Hash: DB415831A00209EFCF15DF98CE81AEE7BB5BF8E308F244969F91467651D3359950DB50
                        Function 2DE06FBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE06FC2
                        • memset.MSVCR90 ref: 2DE06FD5
                          • Part of subcall function 2DE052D6: GetProcAddress.KERNEL32(00000000,00000142), ref: 2DE052F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressH_prolog3Procmemset
                        • String ID: D
                        • API String ID: 2467443255-2746444292
                        • Opcode ID: c50c3fe2fbca24ef6d2e30d2d293ab88aa1bbfa10507a061da2d1030a258762c
                        • Instruction ID: 3a9c6c71b7a73342d50ca9b557e526051739088e0d00c0d9f9f0e05f7d1a5fc7
                        • Opcode Fuzzy Hash: c50c3fe2fbca24ef6d2e30d2d293ab88aa1bbfa10507a061da2d1030a258762c
                        • Instruction Fuzzy Hash: FB316CB1A04605EBDB10EFA0C885A9E7BB9FF84745F208518E659BB290DF35ED01CB11
                        Function 6C8E8D88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F5AAD: MultiByteToWideChar.KERNEL32(6C8FAE39,00000100,E8458D00,00000000,00000000,00000020,?,6C8F8002,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 6C8F5B1D
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C8E8FCF,00000000,?,00000000,2463616368652E646174), ref: 6C8E8DEC
                        • __dosmaperr.LIBCMT ref: 6C8E8DF3
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                        • String ID: 2463616368652E646174
                        • API String ID: 2434981716-3036274828
                        • Opcode ID: 84938ab8dc6ae9330b15720c10605fe75f3f0137180ac88b91faa620407ce00b
                        • Instruction ID: a08be2abaeb443f35200762f458d7a65bbfde0a4644c83e1e08b229ad70d7fb9
                        • Opcode Fuzzy Hash: 84938ab8dc6ae9330b15720c10605fe75f3f0137180ac88b91faa620407ce00b
                        • Instruction Fuzzy Hash: 2921AB31604615BFD7315F2E8E0094F77A5EF9B3A5B154A1AE82497A90E770E8118790
                        Function 2DE117FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • GetClassInfoA.USER32(-00000068,?), ref: 2DE1185A
                          • Part of subcall function 2DE04609: _vsnprintf.MSVCR90 ref: 2DE0463A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassErrorH_prolog3InfoLast_vsnprintf
                        • String ID: Afx:%x$Afx:%x:%x:%x:%x
                        • API String ID: 3801848739-1102061830
                        • Opcode ID: 5cda9b0a7c72ecb1f9619b295853e0c3c7125269b2711f997083b6715b1dff32
                        • Instruction ID: ce794fe46332818bfdc4c536d4e11fed8198e1b0adb0a543ba67ab41ce5d34f2
                        • Opcode Fuzzy Hash: 5cda9b0a7c72ecb1f9619b295853e0c3c7125269b2711f997083b6715b1dff32
                        • Instruction Fuzzy Hash: A52121B1E00209ABCB01DF95D840BEE7BF9EF59655F04802AF915F2201EB75DA50CBA5
                        Function 2DE0AD2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: EmptyH_prolog3Rect
                        • String ID: X$-
                        • API String ID: 1443337074-1787739716
                        • Opcode ID: 9152f942eca8f583369fd8cb702b94d0e5284345be57e5738ea352421ee21b01
                        • Instruction ID: 230fc07bf141b474d574ac46816416a1e246d67377fabd3dbe831035d7e122bd
                        • Opcode Fuzzy Hash: 9152f942eca8f583369fd8cb702b94d0e5284345be57e5738ea352421ee21b01
                        • Instruction Fuzzy Hash: EE21D3B0805B40CFC321CFAAC18465AFBF4BF65705F508A4ED19AA7A60CBB5A648CB55
                        Function 2DE0F61C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(mso.dll,?,2DE0FBDC,?,00000201,?,?,80000000), ref: 2DE0F624
                        • MessageBoxW.USER32(00000000,7FFFFEF8,80000008,00000000), ref: 2DE0F681
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: HandleMessageModule
                        • String ID: mso.dll
                        • API String ID: 2216695990-1671880577
                        • Opcode ID: 8e45b0e745f1a8061f8f225e02fd858c7839db9153886311a60a073155b07bbb
                        • Instruction ID: d0f851e8aab955daaa466e203f5171b14a45a552adbc087ad9cebd2e24ed3510
                        • Opcode Fuzzy Hash: 8e45b0e745f1a8061f8f225e02fd858c7839db9153886311a60a073155b07bbb
                        • Instruction Fuzzy Hash: 31F0B43219410ABBE3449AB4CC06FA537ECE724B46F048110F146F62D0DE6DD594CB76
                        Function 6C8E12E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C8E12F3
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E1331
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382361998.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000006.00000002.3382342298.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382391438.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382416056.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382437212.000000006C924000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382457720.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000006.00000002.3382474415.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                        • String ID: outlook-web.ddns.net
                        • API String ID: 593203224-2894021055
                        • Opcode ID: 5194702f17f0ef2d75552974635466a53989dcefc40f6e661027ce3c5331d194
                        • Instruction ID: 44bf2bccd086bdd494015e98e179b275bac667e138ca9b64d709497016b0cdf4
                        • Opcode Fuzzy Hash: 5194702f17f0ef2d75552974635466a53989dcefc40f6e661027ce3c5331d194
                        • Instruction Fuzzy Hash: 5EF0BE726001909ECB60EB5DCA40A99BBE5EBCB754B254A78C42AD7702EB30E942C781
                        Function 2DE135E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • ??_U@YAPAXI@Z.MSVCR90(?,p(-,?,?,2DE13669,p(-,?,00000000,?,2DE157B6,00000000,?,?,?,2DE02870,?), ref: 2DE13607
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID: p(-$p(-
                        • API String ID: 0-773738704
                        • Opcode ID: cc3a28099630c4a92c833c90afcec42e4b710eff09a216eab597794e02bd7e12
                        • Instruction ID: eac8867002c6476c7256e3ccf449a015698073b16dcffed580ea3734e6da1714
                        • Opcode Fuzzy Hash: cc3a28099630c4a92c833c90afcec42e4b710eff09a216eab597794e02bd7e12
                        • Instruction Fuzzy Hash: 19E06D7A2047069AC721CF4AD000B42FBE8EFA5760F51842AD6D8A3600CB70F8808BA0
                        Function 2DE052D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE03F46: LoadLibraryA.KERNEL32(?,2DE19D60,00000010), ref: 2DE03F75
                        • GetProcAddress.KERNEL32(00000000,00000142), ref: 2DE052F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.3382268368.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000006.00000002.3382250238.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382290925.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382307287.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000006.00000002.3382325267.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: 4-$olmapi32.dll
                        • API String ID: 2574300362-675466117
                        • Opcode ID: 8ccf418b054d2ad8586eb34c0dcd90fb179f0bb6e35669667af19ac5602818c3
                        • Instruction ID: fdf3de23cda28f83e7e81ee7a96c9e15eaa9415382723889029e1f57285b39c2
                        • Opcode Fuzzy Hash: 8ccf418b054d2ad8586eb34c0dcd90fb179f0bb6e35669667af19ac5602818c3
                        • Instruction Fuzzy Hash: 75C08CF690E2411ECB102F6059CA7CC3AF0FB2AF03F000545F286F8656CEA8C444CA07

                        Execution Graph

                        Execution Coverage:4.5%
                        Dynamic/Decrypted Code Coverage:3.7%
                        Signature Coverage:0%
                        Total number of Nodes:1418
                        Total number of Limit Nodes:13
                        execution_graph 41828 6c8e21de 41829 6c8e21ec 41828->41829 41830 6c8e21e7 41828->41830 41834 6c8e20a8 41829->41834 41849 6c8e267f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 41830->41849 41837 6c8e20b4 __FrameHandler3::FrameUnwindToState 41834->41837 41835 6c8e20c3 41836 6c8e20dd dllmain_raw 41836->41835 41839 6c8e20f7 dllmain_crt_dispatch 41836->41839 41837->41835 41837->41836 41838 6c8e20d8 41837->41838 41850 6c8de49b 41838->41850 41839->41835 41839->41838 41842 6c8e2149 41842->41835 41843 6c8e2152 dllmain_crt_dispatch 41842->41843 41843->41835 41844 6c8e2165 dllmain_raw 41843->41844 41844->41835 41845 6c8de49b __DllMainCRTStartup@12 248 API calls 41846 6c8e2130 41845->41846 41855 6c8e1ff8 263 API calls 4 library calls 41846->41855 41848 6c8e213e dllmain_raw 41848->41842 41849->41829 41851 6c8de4ab 41850->41851 41852 6c8de4b0 41850->41852 41851->41842 41851->41845 41856 6c8d7e8d 41852->41856 41855->41848 41859 6c8d4f22 41856->41859 41858 6c8d7e9a 15 API calls 41858->41851 41860 6c8d4f44 __DllMainCRTStartup@12 41859->41860 42256 6c8d320c 41860->42256 41862 6c8d4f71 Sleep 42260 6c8de75b 41862->42260 41864 6c8d4fa4 41865 6c8d320c __DllMainCRTStartup@12 38 API calls 41864->41865 41866 6c8d4fb9 GetModuleFileNameA 41865->41866 41867 6c8d320c __DllMainCRTStartup@12 38 API calls 41866->41867 41868 6c8d4fea __DllMainCRTStartup@12 41867->41868 42268 6c8dcafb 41868->42268 41871 6c8de75b __DllMainCRTStartup@12 41 API calls 41872 6c8d5042 41871->41872 41873 6c8d320c __DllMainCRTStartup@12 38 API calls 41872->41873 41874 6c8d5057 41873->41874 42272 6c8d15ca 41874->42272 41876 6c8d5083 __DllMainCRTStartup@12 41877 6c8d508d CreateFileA 41876->41877 42278 6c8d4149 41877->42278 41879 6c8d50a5 41880 6c8d50ae CloseHandle Sleep 41879->41880 41881 6c8d5126 CloseHandle 41879->41881 42802 6c8dcb90 78 API calls 2 library calls 41880->42802 41883 6c8d5132 41881->41883 42281 6c8d7e9f CreateToolhelp32Snapshot 41883->42281 41884 6c8d50ca 41886 6c8d15ca __DllMainCRTStartup@12 38 API calls 41884->41886 41887 6c8d50f6 __DllMainCRTStartup@12 41886->41887 41891 6c8d5100 CreateFileA 41887->41891 41888 6c8d514e GetUserNameA 41890 6c8d320c __DllMainCRTStartup@12 38 API calls 41888->41890 41889 6c8d51b4 42298 6c8dea93 41889->42298 41903 6c8d513e __DllMainCRTStartup@12 41890->41903 41893 6c8d4149 __DllMainCRTStartup@12 36 API calls 41891->41893 41895 6c8d5118 CloseHandle 41893->41895 41894 6c8d51cf 41896 6c8de75b __DllMainCRTStartup@12 41 API calls 41894->41896 41895->41883 41897 6c8d51f8 41896->41897 41898 6c8d320c __DllMainCRTStartup@12 38 API calls 41897->41898 41899 6c8d520d 41898->41899 42776 6c8d30d6 41899->42776 41901 6c8d4149 __DllMainCRTStartup@12 36 API calls 41901->41903 41902 6c8d521f 42780 6c8d4a2e 41902->42780 41903->41888 41903->41889 41903->41901 41905 6c8d51b6 Sleep 41903->41905 41905->41903 41907 6c8de75b __DllMainCRTStartup@12 41 API calls 41908 6c8d5257 41907->41908 41909 6c8d320c __DllMainCRTStartup@12 38 API calls 41908->41909 41910 6c8d526c 41909->41910 41911 6c8d4a2e __DllMainCRTStartup@12 38 API calls 41910->41911 41912 6c8d527e 41911->41912 42783 6c8d16a1 41912->42783 41915 6c8d4a2e __DllMainCRTStartup@12 38 API calls 41916 6c8d52a5 41915->41916 41917 6c8d4149 __DllMainCRTStartup@12 36 API calls 41916->41917 41918 6c8d52b0 41917->41918 41919 6c8de75b __DllMainCRTStartup@12 41 API calls 41918->41919 41920 6c8d52dc 41919->41920 41921 6c8d320c __DllMainCRTStartup@12 38 API calls 41920->41921 41922 6c8d52f1 41921->41922 41923 6c8d15ca __DllMainCRTStartup@12 38 API calls 41922->41923 41924 6c8d531d __DllMainCRTStartup@12 41923->41924 41925 6c8d5327 CreateFileA 41924->41925 41926 6c8d4149 __DllMainCRTStartup@12 36 API calls 41925->41926 41927 6c8d533f 41926->41927 41928 6c8d5348 ReadFile 41927->41928 41929 6c8d5365 41927->41929 41930 6c8d537a 41928->41930 41929->41930 42803 6c8e1d63 5 API calls __DllMainCRTStartup@12 41929->42803 41932 6c8d53a1 41930->41932 42804 6c8e1d63 5 API calls __DllMainCRTStartup@12 41930->42804 41933 6c8d53a8 CloseHandle 41932->41933 41935 6c8d320c __DllMainCRTStartup@12 38 API calls 41933->41935 41936 6c8d53cf 41935->41936 41937 6c8d320c __DllMainCRTStartup@12 38 API calls 41936->41937 41938 6c8d53df 41937->41938 41939 6c8de75b __DllMainCRTStartup@12 41 API calls 41938->41939 41940 6c8d5405 41939->41940 41941 6c8d320c __DllMainCRTStartup@12 38 API calls 41940->41941 41942 6c8d541a 41941->41942 41943 6c8d15ca __DllMainCRTStartup@12 38 API calls 41942->41943 41944 6c8d543b __DllMainCRTStartup@12 41943->41944 42789 6c8e8f90 41944->42789 41946 6c8d544b 41947 6c8d4149 __DllMainCRTStartup@12 36 API calls 41946->41947 41948 6c8d5457 Sleep 41947->41948 41949 6c8de75b __DllMainCRTStartup@12 41 API calls 41948->41949 41950 6c8d5493 41949->41950 41951 6c8d320c __DllMainCRTStartup@12 38 API calls 41950->41951 41952 6c8d54a8 41951->41952 41953 6c8de75b __DllMainCRTStartup@12 41 API calls 41952->41953 41954 6c8d54d0 41953->41954 41955 6c8d320c __DllMainCRTStartup@12 38 API calls 41954->41955 41956 6c8d54e5 41955->41956 41957 6c8de75b __DllMainCRTStartup@12 41 API calls 41956->41957 41958 6c8d5507 41957->41958 41959 6c8d320c __DllMainCRTStartup@12 38 API calls 41958->41959 41960 6c8d551c 41959->41960 41961 6c8de75b __DllMainCRTStartup@12 41 API calls 41960->41961 41962 6c8d553a 41961->41962 41963 6c8d320c __DllMainCRTStartup@12 38 API calls 41962->41963 41964 6c8d554f 41963->41964 41965 6c8de75b __DllMainCRTStartup@12 41 API calls 41964->41965 41966 6c8d556d 41965->41966 41967 6c8d320c __DllMainCRTStartup@12 38 API calls 41966->41967 41968 6c8d5582 41967->41968 41969 6c8de75b __DllMainCRTStartup@12 41 API calls 41968->41969 41970 6c8d55a2 41969->41970 41971 6c8d320c __DllMainCRTStartup@12 38 API calls 41970->41971 41972 6c8d55b4 41971->41972 41973 6c8de75b __DllMainCRTStartup@12 41 API calls 41972->41973 41974 6c8d55d4 41973->41974 41975 6c8d320c __DllMainCRTStartup@12 38 API calls 41974->41975 41976 6c8d55e6 41975->41976 41977 6c8de75b __DllMainCRTStartup@12 41 API calls 41976->41977 41978 6c8d5607 41977->41978 41979 6c8d320c __DllMainCRTStartup@12 38 API calls 41978->41979 41980 6c8d5619 41979->41980 41981 6c8de75b __DllMainCRTStartup@12 41 API calls 41980->41981 41982 6c8d563b 41981->41982 41983 6c8d320c __DllMainCRTStartup@12 38 API calls 41982->41983 41984 6c8d564d 41983->41984 41985 6c8de75b __DllMainCRTStartup@12 41 API calls 41984->41985 41986 6c8d5672 41985->41986 41987 6c8d320c __DllMainCRTStartup@12 38 API calls 41986->41987 41988 6c8d5687 41987->41988 41989 6c8de75b __DllMainCRTStartup@12 41 API calls 41988->41989 41990 6c8d56a9 41989->41990 41991 6c8d320c __DllMainCRTStartup@12 38 API calls 41990->41991 41992 6c8d56be 41991->41992 41993 6c8de75b __DllMainCRTStartup@12 41 API calls 41992->41993 41994 6c8d56e4 41993->41994 41995 6c8d320c __DllMainCRTStartup@12 38 API calls 41994->41995 41996 6c8d56f9 41995->41996 41997 6c8de75b __DllMainCRTStartup@12 41 API calls 41996->41997 41998 6c8d571d 41997->41998 41999 6c8d320c __DllMainCRTStartup@12 38 API calls 41998->41999 42000 6c8d5732 41999->42000 42001 6c8de75b __DllMainCRTStartup@12 41 API calls 42000->42001 42002 6c8d5756 42001->42002 42003 6c8d320c __DllMainCRTStartup@12 38 API calls 42002->42003 42004 6c8d576b 42003->42004 42005 6c8de75b __DllMainCRTStartup@12 41 API calls 42004->42005 42006 6c8d578f 42005->42006 42007 6c8d320c __DllMainCRTStartup@12 38 API calls 42006->42007 42008 6c8d57a4 42007->42008 42009 6c8de75b __DllMainCRTStartup@12 41 API calls 42008->42009 42010 6c8d57cc 42009->42010 42011 6c8d320c __DllMainCRTStartup@12 38 API calls 42010->42011 42012 6c8d57e1 42011->42012 42013 6c8de75b __DllMainCRTStartup@12 41 API calls 42012->42013 42014 6c8d5807 42013->42014 42015 6c8d320c __DllMainCRTStartup@12 38 API calls 42014->42015 42016 6c8d581c 42015->42016 42017 6c8de75b __DllMainCRTStartup@12 41 API calls 42016->42017 42018 6c8d5849 42017->42018 42019 6c8d320c __DllMainCRTStartup@12 38 API calls 42018->42019 42081 6c8d585e _strcat __fread_nolock _strncpy __DllMainCRTStartup@12 42018->42081 42019->42081 42020 6c8d7d13 42021 6c8d4149 __DllMainCRTStartup@12 36 API calls 42020->42021 42022 6c8d7d1e 42021->42022 42023 6c8d4149 __DllMainCRTStartup@12 36 API calls 42022->42023 42024 6c8d7d29 42023->42024 42026 6c8d4149 __DllMainCRTStartup@12 36 API calls 42024->42026 42025 6c8d589d CreateFileA 42027 6c8d4149 __DllMainCRTStartup@12 36 API calls 42025->42027 42028 6c8d7d34 42026->42028 42029 6c8d58b5 42027->42029 42030 6c8d4149 __DllMainCRTStartup@12 36 API calls 42028->42030 42031 6c8d5a41 RpcStringBindingComposeA RpcBindingFromStringBindingA 42029->42031 42034 6c8d58cf 42029->42034 42033 6c8d7d3f 42030->42033 42805 6c8d44b1 38 API calls __DllMainCRTStartup@12 42031->42805 42036 6c8d4149 __DllMainCRTStartup@12 36 API calls 42033->42036 42035 6c8d4149 __DllMainCRTStartup@12 36 API calls 42034->42035 42038 6c8d58e1 42035->42038 42037 6c8d7d4a 42036->42037 42039 6c8d4149 __DllMainCRTStartup@12 36 API calls 42037->42039 42040 6c8d4149 __DllMainCRTStartup@12 36 API calls 42038->42040 42041 6c8d7d55 42039->42041 42042 6c8d58ec 42040->42042 42043 6c8d4149 __DllMainCRTStartup@12 36 API calls 42041->42043 42044 6c8d4149 __DllMainCRTStartup@12 36 API calls 42042->42044 42045 6c8d7d60 42043->42045 42046 6c8d58f7 42044->42046 42047 6c8d4149 __DllMainCRTStartup@12 36 API calls 42045->42047 42048 6c8d4149 __DllMainCRTStartup@12 36 API calls 42046->42048 42049 6c8d7d6b 42047->42049 42050 6c8d5902 42048->42050 42051 6c8d4149 __DllMainCRTStartup@12 36 API calls 42049->42051 42052 6c8d4149 __DllMainCRTStartup@12 36 API calls 42050->42052 42053 6c8d7d76 42051->42053 42054 6c8d590d 42052->42054 42055 6c8d4149 __DllMainCRTStartup@12 36 API calls 42053->42055 42056 6c8d4149 __DllMainCRTStartup@12 36 API calls 42054->42056 42057 6c8d7d81 42055->42057 42058 6c8d5918 42056->42058 42059 6c8d4149 __DllMainCRTStartup@12 36 API calls 42057->42059 42060 6c8d4149 __DllMainCRTStartup@12 36 API calls 42058->42060 42061 6c8d7d8c 42059->42061 42062 6c8d5923 42060->42062 42063 6c8d4149 __DllMainCRTStartup@12 36 API calls 42061->42063 42064 6c8d4149 __DllMainCRTStartup@12 36 API calls 42062->42064 42065 6c8d7d97 42063->42065 42066 6c8d592e 42064->42066 42068 6c8d4149 __DllMainCRTStartup@12 36 API calls 42065->42068 42067 6c8d4149 __DllMainCRTStartup@12 36 API calls 42066->42067 42070 6c8d5939 42067->42070 42069 6c8d7da2 42068->42069 42071 6c8d4149 __DllMainCRTStartup@12 36 API calls 42069->42071 42072 6c8d4149 __DllMainCRTStartup@12 36 API calls 42070->42072 42073 6c8d7dad 42071->42073 42074 6c8d5944 42072->42074 42076 6c8d4149 __DllMainCRTStartup@12 36 API calls 42073->42076 42077 6c8d4149 __DllMainCRTStartup@12 36 API calls 42074->42077 42075 6c8d80d7 43 API calls __DllMainCRTStartup@12 42075->42081 42078 6c8d7db8 42076->42078 42079 6c8d594f 42077->42079 42082 6c8d4149 __DllMainCRTStartup@12 36 API calls 42078->42082 42083 6c8d4149 __DllMainCRTStartup@12 36 API calls 42079->42083 42081->42020 42081->42025 42081->42075 42088 6c8d7fae 46 API calls __DllMainCRTStartup@12 42081->42088 42141 6c8d5e06 __DllMainCRTStartup@12 42081->42141 42149 6c8d7c2b Sleep 42081->42149 42167 6c8d4218 36 API calls __DllMainCRTStartup@12 42081->42167 42178 6c8d7cd3 RpcStringFreeA 42081->42178 42184 6c8e6ee3 23 API calls __DllMainCRTStartup@12 42081->42184 42198 6c8d1584 38 API calls __DllMainCRTStartup@12 42081->42198 42200 6c8d30d6 38 API calls __DllMainCRTStartup@12 42081->42200 42213 6c8dcafb __DllMainCRTStartup@12 38 API calls 42081->42213 42223 6c8d4a2e 38 API calls __DllMainCRTStartup@12 42081->42223 42239 6c8d15ca 38 API calls __DllMainCRTStartup@12 42081->42239 42243 6c8d15a7 38 API calls __DllMainCRTStartup@12 42081->42243 42245 6c8d4149 36 API calls __DllMainCRTStartup@12 42081->42245 42246 6c8d320c 38 API calls __DllMainCRTStartup@12 42081->42246 42247 6c8d44b1 38 API calls __DllMainCRTStartup@12 42081->42247 42255 6c8d5ffd _strcat __fread_nolock __DllMainCRTStartup@12 42081->42255 42806 6c8d326b 38 API calls 2 library calls 42081->42806 42816 6c8d4481 36 API calls __DllMainCRTStartup@12 42081->42816 42817 6c8d4a44 38 API calls __DllMainCRTStartup@12 42081->42817 42818 6c8d170a 42081->42818 42824 6c8e792e 39 API calls 2 library calls 42081->42824 42825 6c8ddba9 38 API calls __DllMainCRTStartup@12 42081->42825 42826 6c8d156a 38 API calls __DllMainCRTStartup@12 42081->42826 42827 6c8ddbbe 38 API calls __DllMainCRTStartup@12 42081->42827 42831 6c8dc9e5 41 API calls 3 library calls 42081->42831 42084 6c8d7dc3 42082->42084 42085 6c8d595a 42083->42085 42086 6c8d4149 __DllMainCRTStartup@12 36 API calls 42084->42086 42087 6c8d4149 __DllMainCRTStartup@12 36 API calls 42085->42087 42089 6c8d7dce 42086->42089 42090 6c8d5965 42087->42090 42088->42081 42091 6c8d4149 __DllMainCRTStartup@12 36 API calls 42089->42091 42092 6c8d4149 __DllMainCRTStartup@12 36 API calls 42090->42092 42093 6c8d7dd9 42091->42093 42094 6c8d5970 42092->42094 42095 6c8d4149 __DllMainCRTStartup@12 36 API calls 42093->42095 42096 6c8d4149 __DllMainCRTStartup@12 36 API calls 42094->42096 42097 6c8d7de4 42095->42097 42098 6c8d597b 42096->42098 42099 6c8d4149 __DllMainCRTStartup@12 36 API calls 42097->42099 42100 6c8d4149 __DllMainCRTStartup@12 36 API calls 42098->42100 42101 6c8d7def 42099->42101 42102 6c8d5986 42100->42102 42104 6c8d4149 __DllMainCRTStartup@12 36 API calls 42101->42104 42103 6c8d4149 __DllMainCRTStartup@12 36 API calls 42102->42103 42106 6c8d5991 42103->42106 42105 6c8d7dfa 42104->42105 42107 6c8d4149 __DllMainCRTStartup@12 36 API calls 42105->42107 42108 6c8d4149 __DllMainCRTStartup@12 36 API calls 42106->42108 42109 6c8d7e05 42107->42109 42110 6c8d599c 42108->42110 42111 6c8d4149 __DllMainCRTStartup@12 36 API calls 42109->42111 42112 6c8d4149 __DllMainCRTStartup@12 36 API calls 42110->42112 42113 6c8d7e10 42111->42113 42114 6c8d59a7 42112->42114 42115 6c8d4149 __DllMainCRTStartup@12 36 API calls 42113->42115 42116 6c8d4149 __DllMainCRTStartup@12 36 API calls 42114->42116 42117 6c8d7e1b 42115->42117 42118 6c8d59b2 42116->42118 42119 6c8d4149 __DllMainCRTStartup@12 36 API calls 42117->42119 42120 6c8d4149 __DllMainCRTStartup@12 36 API calls 42118->42120 42121 6c8d7e26 42119->42121 42122 6c8d59bd 42120->42122 42123 6c8d4149 __DllMainCRTStartup@12 36 API calls 42121->42123 42124 6c8d4149 __DllMainCRTStartup@12 36 API calls 42122->42124 42125 6c8d7e31 42123->42125 42126 6c8d59c8 42124->42126 42127 6c8d4149 __DllMainCRTStartup@12 36 API calls 42125->42127 42128 6c8d4149 __DllMainCRTStartup@12 36 API calls 42126->42128 42129 6c8d7e3c 42127->42129 42130 6c8d59d3 42128->42130 42131 6c8d4149 __DllMainCRTStartup@12 36 API calls 42129->42131 42132 6c8d4149 __DllMainCRTStartup@12 36 API calls 42130->42132 42133 6c8d7e47 42131->42133 42134 6c8d59de 42132->42134 42136 6c8d4149 __DllMainCRTStartup@12 36 API calls 42133->42136 42135 6c8d4149 __DllMainCRTStartup@12 36 API calls 42134->42135 42138 6c8d59e9 42135->42138 42137 6c8d7e52 42136->42137 42139 6c8d4149 __DllMainCRTStartup@12 36 API calls 42137->42139 42140 6c8d4149 __DllMainCRTStartup@12 36 API calls 42138->42140 42142 6c8d7e5d 42139->42142 42143 6c8d59f4 42140->42143 42148 6c8d5e23 __DllMainCRTStartup@12 42141->42148 42161 6c8d5eb0 __DllMainCRTStartup@12 42141->42161 42144 6c8d4149 __DllMainCRTStartup@12 36 API calls 42142->42144 42145 6c8d4149 __DllMainCRTStartup@12 36 API calls 42143->42145 42146 6c8d7e68 42144->42146 42147 6c8d59ff 42145->42147 42150 6c8d5a36 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42146->42150 42151 6c8d4149 __DllMainCRTStartup@12 36 API calls 42146->42151 42152 6c8d4149 __DllMainCRTStartup@12 36 API calls 42147->42152 42807 6c8d163c 38 API calls __DllMainCRTStartup@12 42148->42807 42149->42081 42150->41858 42151->42150 42153 6c8d5a0a 42152->42153 42155 6c8d4149 __DllMainCRTStartup@12 36 API calls 42153->42155 42154 6c8d5eab 42154->41858 42157 6c8d5a15 42155->42157 42159 6c8d4149 __DllMainCRTStartup@12 36 API calls 42157->42159 42158 6c8d5e4d 42808 6c8d4481 36 API calls __DllMainCRTStartup@12 42158->42808 42162 6c8d5a20 42159->42162 42161->42154 42166 6c8dcafb __DllMainCRTStartup@12 38 API calls 42161->42166 42164 6c8d4149 __DllMainCRTStartup@12 36 API calls 42162->42164 42163 6c8d5e5c 42165 6c8d4149 __DllMainCRTStartup@12 36 API calls 42163->42165 42168 6c8d5a2b 42164->42168 42169 6c8d5e67 __DllMainCRTStartup@12 42165->42169 42170 6c8d5f0d 42166->42170 42167->42081 42171 6c8d4149 __DllMainCRTStartup@12 36 API calls 42168->42171 42809 6c8d163c 38 API calls __DllMainCRTStartup@12 42169->42809 42811 6c8dc14f 38 API calls __DllMainCRTStartup@12 42170->42811 42171->42150 42172 6c8e8f90 __DllMainCRTStartup@12 41 API calls 42172->42255 42175 6c8d5e91 42810 6c8d4481 36 API calls __DllMainCRTStartup@12 42175->42810 42177 6c8d603e CreateFileA 42177->42255 42178->42081 42179 6c8d5ea0 42181 6c8d4149 __DllMainCRTStartup@12 36 API calls 42179->42181 42180 6c8d5f1f __DllMainCRTStartup@12 42182 6c8dcafb __DllMainCRTStartup@12 38 API calls 42180->42182 42181->42154 42183 6c8d5f69 42182->42183 42812 6c8dc14f 38 API calls __DllMainCRTStartup@12 42183->42812 42184->42081 42185 6c8d606a WriteFile CloseHandle 42185->42255 42187 6c8d5f7b 42813 6c8d44b1 38 API calls __DllMainCRTStartup@12 42187->42813 42188 6c8d7c1e Sleep 42188->42081 42190 6c8d5f98 42814 6c8d44b1 38 API calls __DllMainCRTStartup@12 42190->42814 42192 6c8d320c __DllMainCRTStartup@12 38 API calls 42192->42255 42193 6c8d5fa8 42194 6c8d4149 __DllMainCRTStartup@12 36 API calls 42193->42194 42195 6c8d5fb3 42194->42195 42195->42154 42196 6c8d4149 __DllMainCRTStartup@12 36 API calls 42195->42196 42196->42154 42197 6c8d4a5d 38 API calls __DllMainCRTStartup@12 42197->42255 42198->42081 42200->42081 42201 6c8d30d6 38 API calls __DllMainCRTStartup@12 42201->42255 42202 6c8d15ca 38 API calls __DllMainCRTStartup@12 42202->42255 42203 6c8d16a1 __DllMainCRTStartup@12 38 API calls 42203->42255 42205 6c8d1584 38 API calls __DllMainCRTStartup@12 42205->42255 42208 6c8d7454 WinExec 42209 6c8d15ca __DllMainCRTStartup@12 38 API calls 42208->42209 42209->42255 42210 6c8d4149 36 API calls __DllMainCRTStartup@12 42210->42255 42211 6c8d7816 WinExec Sleep 42212 6c8d320c __DllMainCRTStartup@12 38 API calls 42211->42212 42240 6c8d7838 _strcat __fread_nolock _strncpy __DllMainCRTStartup@12 42212->42240 42213->42081 42214 6c8dcafb __DllMainCRTStartup@12 38 API calls 42214->42255 42217 6c8d4a2e 38 API calls __DllMainCRTStartup@12 42217->42255 42221 6c8d4149 __DllMainCRTStartup@12 36 API calls 42221->42188 42222 6c8dc498 82 API calls __DllMainCRTStartup@12 42222->42240 42223->42081 42229 6c8d15ca __DllMainCRTStartup@12 38 API calls 42229->42240 42230 6c8d1584 38 API calls __DllMainCRTStartup@12 42230->42240 42231 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42231->42240 42232 6c8d4149 36 API calls __DllMainCRTStartup@12 42232->42240 42234 6c8d320c 38 API calls __DllMainCRTStartup@12 42234->42240 42235 6c8dcafb 38 API calls __DllMainCRTStartup@12 42235->42240 42236 6c8e8f90 __DllMainCRTStartup@12 41 API calls 42236->42240 42237 6c8d4481 36 API calls __DllMainCRTStartup@12 42237->42240 42239->42081 42240->42221 42240->42222 42240->42229 42240->42230 42240->42231 42240->42232 42240->42234 42240->42235 42240->42236 42240->42237 42241 6c8d80d7 43 API calls __DllMainCRTStartup@12 42240->42241 42832 6c8d2e9d 102 API calls __DllMainCRTStartup@12 42240->42832 42833 6c8ddada 82 API calls 2 library calls 42240->42833 42834 6c8dc2be 82 API calls 2 library calls 42240->42834 42835 6c8d44b1 38 API calls __DllMainCRTStartup@12 42240->42835 42836 6c8daaa8 69 API calls __DllMainCRTStartup@12 42240->42836 42837 6c8d4a5d 42240->42837 42840 6c8d4a73 67 API calls __DllMainCRTStartup@12 42240->42840 42241->42240 42242 6c8d80d7 43 API calls __DllMainCRTStartup@12 42242->42255 42243->42081 42245->42081 42246->42081 42247->42081 42249 6c8d6ed9 PathFileExistsA 42249->42255 42250 6c8d44b1 38 API calls __DllMainCRTStartup@12 42250->42255 42251 6c8d6eef DeleteFileA 42251->42255 42252 6c8d6f2e CreateFileA WriteFile CloseHandle 42828 6c8d44b1 38 API calls __DllMainCRTStartup@12 42252->42828 42254 6c8d6f85 PathFileExistsA 42254->42255 42255->42172 42255->42177 42255->42185 42255->42188 42255->42192 42255->42197 42255->42201 42255->42202 42255->42203 42255->42205 42255->42208 42255->42210 42255->42211 42255->42214 42255->42217 42255->42242 42255->42249 42255->42250 42255->42251 42255->42252 42255->42254 42815 6c8d4481 36 API calls __DllMainCRTStartup@12 42255->42815 42829 6c8d2e9d 102 API calls __DllMainCRTStartup@12 42255->42829 42830 6c8d4a73 67 API calls __DllMainCRTStartup@12 42255->42830 42257 6c8d322a __DllMainCRTStartup@12 42256->42257 42841 6c8da770 42257->42841 42259 6c8d3252 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42259->41862 42261 6c8de777 __DllMainCRTStartup@12 42260->42261 42262 6c8de804 42261->42262 42266 6c8d4a44 38 API calls __DllMainCRTStartup@12 42261->42266 42850 6c8d44b1 38 API calls __DllMainCRTStartup@12 42261->42850 42851 6c8e79ce 39 API calls 2 library calls 42261->42851 42263 6c8d4149 __DllMainCRTStartup@12 36 API calls 42262->42263 42265 6c8de80c __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42263->42265 42265->41864 42266->42261 42269 6c8dcb0f __DllMainCRTStartup@12 42268->42269 42852 6c8d3142 42269->42852 42271 6c8d501e 42271->41871 42273 6c8d15d8 __DllMainCRTStartup@12 42272->42273 42275 6c8d15fb __DllMainCRTStartup@12 42273->42275 42870 6c8da468 38 API calls __DllMainCRTStartup@12 42273->42870 42866 6c8d353f 42275->42866 42277 6c8d1637 42277->41876 42893 6c8da2c6 42278->42893 42280 6c8d4158 __DllMainCRTStartup@12 42280->41879 42282 6c8d7edf Process32First 42281->42282 42283 6c8d7eca 42281->42283 42285 6c8d7eff CloseHandle 42282->42285 42286 6c8d7f20 42282->42286 42284 6c8d320c __DllMainCRTStartup@12 38 API calls 42283->42284 42291 6c8d7ed7 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42284->42291 42287 6c8d320c __DllMainCRTStartup@12 38 API calls 42285->42287 42288 6c8d320c __DllMainCRTStartup@12 38 API calls 42286->42288 42289 6c8d7f18 42287->42289 42290 6c8d7f2d 42288->42290 42289->42291 42292 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42290->42292 42293 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42290->42293 42291->41903 42292->42290 42294 6c8d7f49 OpenProcess Process32Next 42293->42294 42294->42290 42295 6c8d7f7f CloseHandle 42294->42295 42296 6c8d7f97 __DllMainCRTStartup@12 42295->42296 42297 6c8d4149 __DllMainCRTStartup@12 36 API calls 42296->42297 42297->42291 42299 6c8deaa0 __DllMainCRTStartup@12 42298->42299 42300 6c8d320c __DllMainCRTStartup@12 38 API calls 42299->42300 42301 6c8deac4 GetSystemDirectoryW 42300->42301 42302 6c8deb0c GetSystemInfo GetComputerNameW 42301->42302 42303 6c8deada 42301->42303 42304 6c8deb3b 42302->42304 42305 6c8deb50 42302->42305 42306 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42303->42306 42307 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42304->42307 42308 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42305->42308 42309 6c8deaea __DllMainCRTStartup@12 42306->42309 42310 6c8deb4b 42307->42310 42320 6c8deb62 __DllMainCRTStartup@12 42308->42320 42312 6c8d4149 __DllMainCRTStartup@12 36 API calls 42309->42312 42311 6c8debf9 RegOpenKeyExW 42310->42311 42313 6c8dec4d 42311->42313 42314 6c8dec1b 42311->42314 42321 6c8deb04 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42312->42321 42898 6c8e05f9 42313->42898 42315 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42314->42315 42317 6c8dec2b __DllMainCRTStartup@12 42315->42317 42323 6c8d4149 __DllMainCRTStartup@12 36 API calls 42317->42323 42318 6c8dec6b 42904 6c8d36c1 42318->42904 42322 6c8de818 __DllMainCRTStartup@12 38 API calls 42320->42322 42321->41894 42324 6c8deba1 42322->42324 42323->42321 42325 6c8d170a __DllMainCRTStartup@12 38 API calls 42324->42325 42326 6c8debb9 42325->42326 42327 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42326->42327 42329 6c8debc8 42327->42329 42328 6c8dec80 __DllMainCRTStartup@12 42908 6c8de818 42328->42908 42331 6c8d4149 __DllMainCRTStartup@12 36 API calls 42329->42331 42333 6c8debd3 42331->42333 42332 6c8decbf 42334 6c8d170a __DllMainCRTStartup@12 38 API calls 42332->42334 42335 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42333->42335 42336 6c8decd7 42334->42336 42337 6c8debe3 42335->42337 42338 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42336->42338 42339 6c8d4149 __DllMainCRTStartup@12 36 API calls 42337->42339 42340 6c8dece6 42338->42340 42341 6c8debee 42339->42341 42342 6c8d4149 __DllMainCRTStartup@12 36 API calls 42340->42342 42932 6c8d4162 36 API calls __DllMainCRTStartup@12 42341->42932 42344 6c8decf1 42342->42344 42345 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42344->42345 42346 6c8ded01 __fread_nolock 42345->42346 42347 6c8ded14 GetVersionExW GetModuleHandleA LoadStringW 42346->42347 42348 6c8dee08 42347->42348 42349 6c8ded53 wsprintfA 42347->42349 42350 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42348->42350 42351 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42349->42351 42352 6c8dee26 42350->42352 42353 6c8ded7b 42351->42353 42355 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42352->42355 42354 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42353->42354 42356 6c8ded8a 42354->42356 42362 6c8dee3b __DllMainCRTStartup@12 42355->42362 42357 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42356->42357 42358 6c8ded9a wsprintfA 42357->42358 42359 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42358->42359 42360 6c8dedc1 42359->42360 42361 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42360->42361 42363 6c8dedd1 wsprintfA 42361->42363 42364 6c8de818 __DllMainCRTStartup@12 38 API calls 42362->42364 42365 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42363->42365 42366 6c8dee7a 42364->42366 42367 6c8dedf8 42365->42367 42368 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42366->42368 42369 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42367->42369 42370 6c8dee8a 42368->42370 42369->42348 42371 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42370->42371 42372 6c8dee9c 42371->42372 42373 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42372->42373 42374 6c8deeac 42373->42374 42375 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42374->42375 42376 6c8deeca 42375->42376 42377 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42376->42377 42378 6c8deedf __DllMainCRTStartup@12 42377->42378 42379 6c8de818 __DllMainCRTStartup@12 38 API calls 42378->42379 42380 6c8def1e 42379->42380 42381 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42380->42381 42382 6c8def2e 42381->42382 42383 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42382->42383 42384 6c8def40 42383->42384 42385 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42384->42385 42386 6c8def50 42385->42386 42387 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42386->42387 42388 6c8def6e 42387->42388 42389 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42388->42389 42390 6c8def83 __DllMainCRTStartup@12 42389->42390 42391 6c8de818 __DllMainCRTStartup@12 38 API calls 42390->42391 42392 6c8defc2 42391->42392 42393 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42392->42393 42394 6c8defd2 42393->42394 42395 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42394->42395 42396 6c8defe4 42395->42396 42397 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42396->42397 42398 6c8deff4 42397->42398 42399 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42398->42399 42400 6c8df012 42399->42400 42401 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42400->42401 42402 6c8df027 __DllMainCRTStartup@12 42401->42402 42403 6c8de818 __DllMainCRTStartup@12 38 API calls 42402->42403 42404 6c8df066 42403->42404 42405 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42404->42405 42406 6c8df076 42405->42406 42407 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42406->42407 42408 6c8df088 42407->42408 42409 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42408->42409 42410 6c8df098 42409->42410 42912 6c8e056b 42410->42912 42412 6c8df0b1 42918 6c8e0479 42412->42918 42414 6c8df0ca 42415 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42414->42415 42416 6c8df0df __DllMainCRTStartup@12 42415->42416 42417 6c8de818 __DllMainCRTStartup@12 38 API calls 42416->42417 42418 6c8df11e 42417->42418 42419 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42418->42419 42420 6c8df12e 42419->42420 42421 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42420->42421 42422 6c8df140 42421->42422 42423 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42422->42423 42424 6c8df150 RegCloseKey 42423->42424 42925 6c8e0834 42424->42925 42427 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42428 6c8df1b1 __DllMainCRTStartup@12 42427->42428 42429 6c8de818 __DllMainCRTStartup@12 38 API calls 42428->42429 42430 6c8df1f0 42429->42430 42431 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42430->42431 42432 6c8df200 42431->42432 42433 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42432->42433 42434 6c8df212 42433->42434 42435 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42434->42435 42436 6c8df222 GetPrivateProfileStringW 42435->42436 42437 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42436->42437 42438 6c8df25c __DllMainCRTStartup@12 42437->42438 42439 6c8de818 __DllMainCRTStartup@12 38 API calls 42438->42439 42440 6c8df29b 42439->42440 42441 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42440->42441 42442 6c8df2ab 42441->42442 42443 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42442->42443 42444 6c8df2bd 42443->42444 42445 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42444->42445 42447 6c8df2cd 42445->42447 42446 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42448 6c8df336 __DllMainCRTStartup@12 42446->42448 42447->42446 42449 6c8de818 __DllMainCRTStartup@12 38 API calls 42448->42449 42450 6c8df375 42449->42450 42451 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42450->42451 42452 6c8df385 42451->42452 42453 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42452->42453 42454 6c8df397 42453->42454 42455 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42454->42455 42456 6c8df3a7 GetModuleHandleA LoadStringW 42455->42456 42457 6c8df3c8 42456->42457 42458 6c8df3e0 42456->42458 42457->42458 42933 6c8e1d63 5 API calls __DllMainCRTStartup@12 42457->42933 42459 6c8e0834 __DllMainCRTStartup@12 40 API calls 42458->42459 42461 6c8df410 42459->42461 42462 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42461->42462 42463 6c8df425 __DllMainCRTStartup@12 42462->42463 42464 6c8de818 __DllMainCRTStartup@12 38 API calls 42463->42464 42465 6c8df464 42464->42465 42466 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42465->42466 42467 6c8df474 42466->42467 42468 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42467->42468 42469 6c8df486 42468->42469 42470 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42469->42470 42471 6c8df496 42470->42471 42472 6c8df4be 42471->42472 42473 6c8df626 42471->42473 42475 6c8e0834 __DllMainCRTStartup@12 40 API calls 42472->42475 42474 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42473->42474 42476 6c8df646 42474->42476 42477 6c8df4d5 42475->42477 42478 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42476->42478 42479 6c8e0834 __DllMainCRTStartup@12 40 API calls 42477->42479 42485 6c8df65b __DllMainCRTStartup@12 42478->42485 42480 6c8df4f1 42479->42480 42481 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42480->42481 42482 6c8df52a 42481->42482 42483 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42482->42483 42484 6c8df595 42483->42484 42486 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42484->42486 42487 6c8de818 __DllMainCRTStartup@12 38 API calls 42485->42487 42494 6c8df5aa __DllMainCRTStartup@12 42486->42494 42488 6c8df69a 42487->42488 42489 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42488->42489 42490 6c8df6aa 42489->42490 42491 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42490->42491 42492 6c8df6bc 42491->42492 42493 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42492->42493 42495 6c8df6cc 42493->42495 42496 6c8de818 __DllMainCRTStartup@12 38 API calls 42494->42496 42497 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42495->42497 42498 6c8df5e9 42496->42498 42500 6c8df6ec 42497->42500 42499 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42498->42499 42501 6c8df5fb 42499->42501 42502 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42500->42502 42503 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42501->42503 42509 6c8df701 __DllMainCRTStartup@12 42502->42509 42504 6c8df60b 42503->42504 42505 6c8d4149 __DllMainCRTStartup@12 36 API calls 42504->42505 42506 6c8df616 42505->42506 42934 6c8d4162 36 API calls __DllMainCRTStartup@12 42506->42934 42508 6c8df621 42508->41894 42510 6c8de818 __DllMainCRTStartup@12 38 API calls 42509->42510 42511 6c8df740 42510->42511 42512 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42511->42512 42513 6c8df750 42512->42513 42514 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42513->42514 42515 6c8df762 42514->42515 42516 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42515->42516 42517 6c8df772 42516->42517 42518 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42517->42518 42519 6c8df792 42518->42519 42520 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42519->42520 42521 6c8df7a7 __DllMainCRTStartup@12 42520->42521 42522 6c8de818 __DllMainCRTStartup@12 38 API calls 42521->42522 42523 6c8df7e6 42522->42523 42524 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42523->42524 42525 6c8df7f6 42524->42525 42526 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42525->42526 42527 6c8df808 42526->42527 42528 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42527->42528 42529 6c8df818 42528->42529 42530 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42529->42530 42531 6c8df838 42530->42531 42532 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42531->42532 42533 6c8df84d __DllMainCRTStartup@12 42532->42533 42534 6c8de818 __DllMainCRTStartup@12 38 API calls 42533->42534 42535 6c8df88c 42534->42535 42536 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42535->42536 42537 6c8df89c 42536->42537 42538 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42537->42538 42539 6c8df8ae 42538->42539 42540 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42539->42540 42541 6c8df8be GetLocaleInfoW 42540->42541 42542 6c8df8df 42541->42542 42543 6c8df9f7 42541->42543 42544 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42542->42544 42545 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42543->42545 42549 6c8df901 __DllMainCRTStartup@12 42544->42549 42554 6c8dfa17 __DllMainCRTStartup@12 42545->42554 42546 6c8dfb50 GetTimeZoneInformation RegOpenKeyExW 42547 6c8dfd08 GlobalMemoryStatus 42546->42547 42548 6c8dfb83 RegEnumKeyExW 42546->42548 42928 6c8e03e4 42547->42928 42552 6c8dfbdd 42548->42552 42553 6c8dfcfc RegCloseKey 42548->42553 42549->42543 42555 6c8df95e 42549->42555 42556 6c8df92b SHLoadIndirectString 42549->42556 42559 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42552->42559 42553->42547 42554->42546 42560 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42554->42560 42561 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42555->42561 42556->42555 42557 6c8dfd27 42558 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42557->42558 42571 6c8dfd3b __DllMainCRTStartup@12 42558->42571 42563 6c8dfc00 __DllMainCRTStartup@12 42559->42563 42564 6c8dfa5a __DllMainCRTStartup@12 42560->42564 42570 6c8df970 __DllMainCRTStartup@12 42561->42570 42562 6c8dfcf7 42562->42562 42563->42562 42565 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42563->42565 42564->42546 42566 6c8dfa84 SHLoadIndirectString 42564->42566 42567 6c8dfab7 42564->42567 42568 6c8dfc43 42565->42568 42566->42567 42569 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42567->42569 42572 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42568->42572 42583 6c8dfac9 __DllMainCRTStartup@12 42569->42583 42573 6c8de818 __DllMainCRTStartup@12 38 API calls 42570->42573 42574 6c8de818 __DllMainCRTStartup@12 38 API calls 42571->42574 42589 6c8dfc58 __DllMainCRTStartup@12 42572->42589 42575 6c8df9af 42573->42575 42576 6c8dfd7a 42574->42576 42577 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42575->42577 42578 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42576->42578 42579 6c8df9bf 42577->42579 42580 6c8dfd8a 42578->42580 42581 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42579->42581 42582 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42580->42582 42584 6c8df9d1 42581->42584 42585 6c8dfd9c 42582->42585 42586 6c8de818 __DllMainCRTStartup@12 38 API calls 42583->42586 42587 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42584->42587 42588 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42585->42588 42591 6c8dfb08 42586->42591 42592 6c8df9e1 42587->42592 42593 6c8dfdac 42588->42593 42590 6c8de818 __DllMainCRTStartup@12 38 API calls 42589->42590 42595 6c8dfc97 42590->42595 42596 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42591->42596 42597 6c8d4149 __DllMainCRTStartup@12 36 API calls 42592->42597 42594 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42593->42594 42598 6c8dfdbe 42594->42598 42599 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42595->42599 42600 6c8dfb18 42596->42600 42601 6c8df9ec 42597->42601 42602 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42598->42602 42603 6c8dfca7 42599->42603 42604 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42600->42604 42935 6c8d4162 36 API calls __DllMainCRTStartup@12 42601->42935 42618 6c8dfdd2 __DllMainCRTStartup@12 42602->42618 42606 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42603->42606 42607 6c8dfb2a 42604->42607 42608 6c8dfcb9 42606->42608 42609 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42607->42609 42610 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42608->42610 42611 6c8dfb3a 42609->42611 42612 6c8dfcc9 42610->42612 42613 6c8d4149 __DllMainCRTStartup@12 36 API calls 42611->42613 42614 6c8d4149 __DllMainCRTStartup@12 36 API calls 42612->42614 42615 6c8dfb45 42613->42615 42616 6c8dfcd4 42614->42616 42936 6c8d4162 36 API calls __DllMainCRTStartup@12 42615->42936 42937 6c8d4162 36 API calls __DllMainCRTStartup@12 42616->42937 42620 6c8de818 __DllMainCRTStartup@12 38 API calls 42618->42620 42622 6c8dfe11 42620->42622 42621 6c8dfcdf 42621->42553 42621->42562 42623 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42622->42623 42624 6c8dfe21 42623->42624 42625 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42624->42625 42626 6c8dfe33 42625->42626 42627 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42626->42627 42628 6c8dfe43 42627->42628 42629 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42628->42629 42630 6c8dfe55 42629->42630 42631 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42630->42631 42632 6c8dfe69 __DllMainCRTStartup@12 42631->42632 42633 6c8de818 __DllMainCRTStartup@12 38 API calls 42632->42633 42634 6c8dfea8 42633->42634 42635 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42634->42635 42636 6c8dfeb8 42635->42636 42637 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42636->42637 42638 6c8dfeca 42637->42638 42639 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42638->42639 42640 6c8dfeda 42639->42640 42641 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42640->42641 42642 6c8dfeec 42641->42642 42643 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42642->42643 42644 6c8dff00 __DllMainCRTStartup@12 42643->42644 42645 6c8de818 __DllMainCRTStartup@12 38 API calls 42644->42645 42646 6c8dff3f 42645->42646 42647 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42646->42647 42648 6c8dff4f 42647->42648 42649 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42648->42649 42650 6c8dff61 42649->42650 42651 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42650->42651 42652 6c8dff71 42651->42652 42653 6c8e03e4 __DllMainCRTStartup@12 37 API calls 42652->42653 42654 6c8dff8a 42653->42654 42655 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42654->42655 42656 6c8dff9e __DllMainCRTStartup@12 42655->42656 42657 6c8de818 __DllMainCRTStartup@12 38 API calls 42656->42657 42658 6c8dffdd 42657->42658 42659 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42658->42659 42660 6c8dffed 42659->42660 42661 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42660->42661 42662 6c8dffff 42661->42662 42663 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42662->42663 42664 6c8e000f 42663->42664 42665 6c8e05f9 __DllMainCRTStartup@12 3 API calls 42664->42665 42670 6c8e002f 42665->42670 42666 6c8e0143 NetGetJoinInformation 42667 6c8e0219 __DllMainCRTStartup@12 42666->42667 42668 6c8e0160 42666->42668 42674 6c8d4149 __DllMainCRTStartup@12 36 API calls 42667->42674 42672 6c8e020e NetApiBufferFree 42668->42672 42673 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42668->42673 42669 6c8e008f 42671 6c8d36c1 __DllMainCRTStartup@12 38 API calls 42669->42671 42670->42666 42670->42669 42938 6c8e1d63 5 API calls __DllMainCRTStartup@12 42670->42938 42683 6c8e00bc __DllMainCRTStartup@12 42671->42683 42672->42667 42681 6c8e0187 __DllMainCRTStartup@12 42673->42681 42676 6c8e0233 42674->42676 42941 6c8d4162 36 API calls __DllMainCRTStartup@12 42676->42941 42678 6c8e023e 42679 6c8d4149 __DllMainCRTStartup@12 36 API calls 42678->42679 42680 6c8e0249 42679->42680 42942 6c8d4162 36 API calls __DllMainCRTStartup@12 42680->42942 42684 6c8de818 __DllMainCRTStartup@12 38 API calls 42681->42684 42686 6c8de818 __DllMainCRTStartup@12 38 API calls 42683->42686 42687 6c8e01c6 42684->42687 42685 6c8e0254 42688 6c8d4149 __DllMainCRTStartup@12 36 API calls 42685->42688 42689 6c8e00fb 42686->42689 42690 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42687->42690 42691 6c8e025f 42688->42691 42692 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42689->42692 42694 6c8e01d6 42690->42694 42943 6c8d4162 36 API calls __DllMainCRTStartup@12 42691->42943 42693 6c8e010b 42692->42693 42696 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42693->42696 42697 6c8d4a2e __DllMainCRTStartup@12 38 API calls 42694->42697 42699 6c8e011d 42696->42699 42700 6c8e01e8 42697->42700 42698 6c8e026a 42701 6c8d4149 __DllMainCRTStartup@12 36 API calls 42698->42701 42703 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42699->42703 42704 6c8d4a5d __DllMainCRTStartup@12 38 API calls 42700->42704 42702 6c8e0275 42701->42702 42944 6c8d4162 36 API calls __DllMainCRTStartup@12 42702->42944 42706 6c8e012d 42703->42706 42707 6c8e01f8 42704->42707 42709 6c8d4149 __DllMainCRTStartup@12 36 API calls 42706->42709 42710 6c8d4149 __DllMainCRTStartup@12 36 API calls 42707->42710 42708 6c8e0280 42711 6c8d4149 __DllMainCRTStartup@12 36 API calls 42708->42711 42712 6c8e0138 42709->42712 42713 6c8e0203 42710->42713 42714 6c8e028b 42711->42714 42939 6c8d4162 36 API calls __DllMainCRTStartup@12 42712->42939 42940 6c8d4162 36 API calls __DllMainCRTStartup@12 42713->42940 42945 6c8d4162 36 API calls __DllMainCRTStartup@12 42714->42945 42718 6c8e0296 42719 6c8d4149 __DllMainCRTStartup@12 36 API calls 42718->42719 42720 6c8e02a1 42719->42720 42946 6c8d4162 36 API calls __DllMainCRTStartup@12 42720->42946 42722 6c8e02ac 42723 6c8d4149 __DllMainCRTStartup@12 36 API calls 42722->42723 42724 6c8e02b7 42723->42724 42947 6c8d4162 36 API calls __DllMainCRTStartup@12 42724->42947 42726 6c8e02c2 42727 6c8d4149 __DllMainCRTStartup@12 36 API calls 42726->42727 42728 6c8e02cd 42727->42728 42948 6c8d4162 36 API calls __DllMainCRTStartup@12 42728->42948 42730 6c8e02d8 42731 6c8d4149 __DllMainCRTStartup@12 36 API calls 42730->42731 42732 6c8e02e3 42731->42732 42949 6c8d4162 36 API calls __DllMainCRTStartup@12 42732->42949 42734 6c8e02ee 42735 6c8d4149 __DllMainCRTStartup@12 36 API calls 42734->42735 42736 6c8e02f9 42735->42736 42950 6c8d4162 36 API calls __DllMainCRTStartup@12 42736->42950 42738 6c8e0304 42739 6c8d4149 __DllMainCRTStartup@12 36 API calls 42738->42739 42740 6c8e030f 42739->42740 42951 6c8d4162 36 API calls __DllMainCRTStartup@12 42740->42951 42742 6c8e031a 42743 6c8d4149 __DllMainCRTStartup@12 36 API calls 42742->42743 42744 6c8e0325 42743->42744 42952 6c8d4162 36 API calls __DllMainCRTStartup@12 42744->42952 42746 6c8e0330 42747 6c8d4149 __DllMainCRTStartup@12 36 API calls 42746->42747 42748 6c8e033b 42747->42748 42953 6c8d4162 36 API calls __DllMainCRTStartup@12 42748->42953 42750 6c8e0346 42751 6c8d4149 __DllMainCRTStartup@12 36 API calls 42750->42751 42752 6c8e0351 42751->42752 42954 6c8d4162 36 API calls __DllMainCRTStartup@12 42752->42954 42754 6c8e035c 42755 6c8d4149 __DllMainCRTStartup@12 36 API calls 42754->42755 42756 6c8e0367 42755->42756 42955 6c8d4162 36 API calls __DllMainCRTStartup@12 42756->42955 42758 6c8e0372 42759 6c8d4149 __DllMainCRTStartup@12 36 API calls 42758->42759 42760 6c8e037d 42759->42760 42956 6c8d4162 36 API calls __DllMainCRTStartup@12 42760->42956 42762 6c8e0388 42763 6c8d4149 __DllMainCRTStartup@12 36 API calls 42762->42763 42764 6c8e0393 42763->42764 42957 6c8d4162 36 API calls __DllMainCRTStartup@12 42764->42957 42766 6c8e039e 42767 6c8d4149 __DllMainCRTStartup@12 36 API calls 42766->42767 42768 6c8e03a9 42767->42768 42958 6c8d4162 36 API calls __DllMainCRTStartup@12 42768->42958 42770 6c8e03b4 42771 6c8d4149 __DllMainCRTStartup@12 36 API calls 42770->42771 42772 6c8e03bf 42771->42772 42959 6c8d4162 36 API calls __DllMainCRTStartup@12 42772->42959 42774 6c8e03ca 42775 6c8d4149 __DllMainCRTStartup@12 36 API calls 42774->42775 42775->42321 42777 6c8d30f1 __DllMainCRTStartup@12 42776->42777 43160 6c8d8640 42777->43160 42779 6c8d3129 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42779->41902 43164 6c8da515 42780->43164 42784 6c8d16af __DllMainCRTStartup@12 42783->42784 42785 6c8d16da __DllMainCRTStartup@12 42784->42785 43182 6c8da468 38 API calls __DllMainCRTStartup@12 42784->43182 42787 6c8d353f __DllMainCRTStartup@12 38 API calls 42785->42787 42788 6c8d1705 42787->42788 42788->41915 42790 6c8e8f9e 42789->42790 42791 6c8e8fa8 42789->42791 42792 6c8f5b29 __DllMainCRTStartup@12 16 API calls 42790->42792 43183 6c8e8ed9 42791->43183 42794 6c8e8fa5 42792->42794 42794->41946 42798 6c8e8fd6 42800 6c8e8ff4 42798->42800 42801 6c8f26df ___free_lconv_mon 14 API calls 42798->42801 42800->41946 42801->42800 42802->41884 42803->41930 42804->41933 42805->42081 42806->42081 42807->42158 42808->42163 42809->42175 42810->42179 42811->42180 42812->42187 42813->42190 42814->42193 42815->42255 42816->42081 42817->42081 42819 6c8d1718 __DllMainCRTStartup@12 42818->42819 42820 6c8d1743 __DllMainCRTStartup@12 42819->42820 43234 6c8da468 38 API calls __DllMainCRTStartup@12 42819->43234 42822 6c8d353f __DllMainCRTStartup@12 38 API calls 42820->42822 42823 6c8d176e 42822->42823 42823->42081 42824->42081 42825->42081 42826->42081 42827->42081 42828->42255 42829->42255 42830->42255 42831->42081 42832->42240 42833->42240 42834->42240 42835->42240 42836->42240 43235 6c8da5be 42837->43235 42840->42240 42842 6c8da77f __DllMainCRTStartup@12 42841->42842 42845 6c8da797 42842->42845 42844 6c8da793 42844->42259 42846 6c8da7eb 42845->42846 42848 6c8da7ab __DllMainCRTStartup@12 42845->42848 42849 6c8d1e78 38 API calls 2 library calls 42846->42849 42848->42844 42849->42848 42850->42261 42851->42261 42853 6c8d3163 __DllMainCRTStartup@12 42852->42853 42856 6c8da6c4 42853->42856 42855 6c8d3191 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42855->42271 42861 6c8d85d0 42856->42861 42858 6c8da6d6 __DllMainCRTStartup@12 42859 6c8da797 __DllMainCRTStartup@12 38 API calls 42858->42859 42860 6c8da6fe 42859->42860 42860->42855 42862 6c8d85e7 42861->42862 42863 6c8d85e2 42861->42863 42862->42858 42865 6c8da486 38 API calls __DllMainCRTStartup@12 42863->42865 42865->42862 42867 6c8d355a __DllMainCRTStartup@12 42866->42867 42868 6c8d3610 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42867->42868 42871 6c8da4b0 42867->42871 42868->42277 42870->42275 42872 6c8da4bf __DllMainCRTStartup@12 42871->42872 42875 6c8d1778 42872->42875 42876 6c8d178f 42875->42876 42877 6c8d1784 42875->42877 42880 6c8d178c 42876->42880 42881 6c8d4473 42876->42881 42884 6c8d17a4 38 API calls __DllMainCRTStartup@12 42877->42884 42880->42868 42885 6c8e1bf5 42881->42885 42884->42880 42887 6c8e1bfa 42885->42887 42886 6c8e6b06 ___std_exception_copy 15 API calls 42886->42887 42887->42886 42888 6c8d447e 42887->42888 42889 6c8ef04b std::_Facet_Register EnterCriticalSection LeaveCriticalSection 42887->42889 42890 6c8e1c16 std::_Facet_Register 42887->42890 42888->42880 42889->42887 42891 6c8e497c CallUnexpected RaiseException 42890->42891 42892 6c8e262c 42891->42892 42895 6c8da2d7 __DllMainCRTStartup@12 42893->42895 42894 6c8da315 __DllMainCRTStartup@12 42894->42280 42895->42894 42897 6c8dab1f 36 API calls __DllMainCRTStartup@12 42895->42897 42897->42894 42899 6c8e063d RegQueryValueExW 42898->42899 42900 6c8e061b RegOpenKeyExW 42898->42900 42902 6c8e065a __DllMainCRTStartup@12 42899->42902 42900->42899 42901 6c8e0636 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42900->42901 42901->42318 42902->42901 42903 6c8e0686 RegCloseKey 42902->42903 42903->42901 42905 6c8d36df __DllMainCRTStartup@12 42904->42905 42960 6c8da805 42905->42960 42907 6c8d3707 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42907->42328 42909 6c8de839 __DllMainCRTStartup@12 42908->42909 42969 6c8de8f5 42909->42969 42911 6c8de886 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42911->42332 42913 6c8e05ae RegQueryValueExW 42912->42913 42914 6c8e058f RegOpenKeyExW 42912->42914 42915 6c8e05cb 42913->42915 42914->42913 42917 6c8e05aa __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42914->42917 42916 6c8e05e1 RegCloseKey 42915->42916 42915->42917 42916->42917 42917->42412 42995 6c8e08b3 42918->42995 42921 6c8e0510 42922 6c8e0834 __DllMainCRTStartup@12 40 API calls 42921->42922 42923 6c8e0530 GetTimeFormatW 42922->42923 42924 6c8e0569 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42923->42924 42924->42414 43120 6c8e08c1 42925->43120 43148 6c8ed9a3 42928->43148 42931 6c8e0450 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 42931->42557 42932->42311 42933->42458 42934->42508 42935->42543 42936->42546 42937->42621 42938->42669 42939->42666 42940->42672 42941->42678 42942->42685 42943->42698 42944->42708 42945->42718 42946->42722 42947->42726 42948->42730 42949->42734 42950->42738 42951->42742 42952->42746 42953->42750 42954->42754 42955->42758 42956->42762 42957->42766 42958->42770 42959->42774 42961 6c8da814 __DllMainCRTStartup@12 42960->42961 42964 6c8da82c 42961->42964 42963 6c8da828 42963->42907 42965 6c8da885 42964->42965 42967 6c8da840 __DllMainCRTStartup@12 42964->42967 42968 6c8d1dae 38 API calls 2 library calls 42965->42968 42967->42963 42968->42967 42970 6c8de909 __DllMainCRTStartup@12 42969->42970 42975 6c8e07ba 42970->42975 42974 6c8de936 42974->42911 42976 6c8e07d0 42975->42976 42977 6c8de920 42975->42977 42976->42977 42978 6c8e07e8 42976->42978 42980 6c8e0813 __DllMainCRTStartup@12 42976->42980 42982 6c8de89f 42977->42982 42988 6c8de93a 38 API calls 2 library calls 42978->42988 42980->42977 42989 6c8e06e8 36 API calls __DllMainCRTStartup@12 42980->42989 42983 6c8de8ba 42982->42983 42984 6c8de8db 42983->42984 42994 6c8dc0d6 38 API calls __DllMainCRTStartup@12 42983->42994 42990 6c8dea5a 42984->42990 42987 6c8de8e7 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 42987->42974 42988->42977 42989->42977 42991 6c8dea69 42990->42991 42992 6c8dea73 42990->42992 42993 6c8da2c6 __DllMainCRTStartup@12 36 API calls 42991->42993 42992->42987 42993->42992 42994->42983 42998 6c8edc9a 42995->42998 43003 6c8f6cbd 42998->43003 43001 6c8e0492 GetDateFormatW 43001->42921 43047 6c8f042d GetLastError 43003->43047 43005 6c8f6cc5 43007 6c8edca5 43005->43007 43011 6c8f6ce3 43005->43011 43072 6c8f2719 15 API calls 2 library calls 43005->43072 43007->43001 43012 6c8eda0b 43007->43012 43009 6c8f6cd9 43073 6c8f26df 43009->43073 43011->43007 43079 6c8e6bae 14 API calls __dosmaperr 43011->43079 43013 6c8eda2e 43012->43013 43014 6c8eda1b 43012->43014 43016 6c8eda40 43013->43016 43023 6c8eda53 43013->43023 43099 6c8e6bae 14 API calls __dosmaperr 43014->43099 43101 6c8e6bae 14 API calls __dosmaperr 43016->43101 43017 6c8eda20 43100 6c8e692f 36 API calls ___std_exception_copy 43017->43100 43020 6c8eda45 43102 6c8e692f 36 API calls ___std_exception_copy 43020->43102 43021 6c8eda73 43103 6c8e6bae 14 API calls __dosmaperr 43021->43103 43022 6c8eda84 43080 6c8f75c2 43022->43080 43023->43021 43023->43022 43029 6c8eda9b 43030 6c8edc8f 43029->43030 43104 6c8f6a28 43029->43104 43095 6c8e695c IsProcessorFeaturePresent 43030->43095 43033 6c8edc99 43036 6c8f6cbd __DllMainCRTStartup@12 15 API calls 43033->43036 43034 6c8edaad 43034->43030 43111 6c8f6a54 43034->43111 43038 6c8edca5 43036->43038 43037 6c8edabf 43037->43030 43039 6c8edac8 43037->43039 43040 6c8edcb4 43038->43040 43041 6c8eda0b __DllMainCRTStartup@12 42 API calls 43038->43041 43042 6c8edb4d __DllMainCRTStartup@12 43039->43042 43043 6c8edae9 __DllMainCRTStartup@12 43039->43043 43040->43001 43041->43040 43046 6c8eda2a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 __allrem 43042->43046 43119 6c8f761f 36 API calls 3 library calls 43042->43119 43043->43046 43118 6c8f761f 36 API calls 3 library calls 43043->43118 43046->43001 43048 6c8f0449 43047->43048 43049 6c8f0443 43047->43049 43051 6c8f2e79 __dosmaperr 6 API calls 43048->43051 43053 6c8f044d 43048->43053 43050 6c8f2e3a __dosmaperr 6 API calls 43049->43050 43050->43048 43052 6c8f0465 43051->43052 43052->43053 43054 6c8f046d 43052->43054 43055 6c8f04d2 SetLastError 43053->43055 43056 6c8f2682 __dosmaperr 12 API calls 43054->43056 43055->43005 43057 6c8f047a 43056->43057 43058 6c8f0493 43057->43058 43059 6c8f0482 43057->43059 43061 6c8f2e79 __dosmaperr 6 API calls 43058->43061 43060 6c8f2e79 __dosmaperr 6 API calls 43059->43060 43068 6c8f0490 43060->43068 43062 6c8f049f 43061->43062 43063 6c8f04ba 43062->43063 43064 6c8f04a3 43062->43064 43067 6c8f00de __dosmaperr 12 API calls 43063->43067 43065 6c8f2e79 __dosmaperr 6 API calls 43064->43065 43065->43068 43066 6c8f26df ___free_lconv_mon 12 API calls 43069 6c8f04b7 43066->43069 43070 6c8f04c5 43067->43070 43068->43066 43069->43055 43071 6c8f26df ___free_lconv_mon 12 API calls 43070->43071 43071->43069 43072->43009 43074 6c8f26ea HeapFree 43073->43074 43075 6c8f2714 43073->43075 43074->43075 43076 6c8f26ff GetLastError 43074->43076 43075->43011 43077 6c8f270c __dosmaperr 43076->43077 43078 6c8e6bae __dosmaperr 12 API calls 43077->43078 43078->43075 43079->43007 43081 6c8f75ce __FrameHandler3::FrameUnwindToState 43080->43081 43082 6c8eda89 43081->43082 43083 6c8edd5c std::_Lockit::_Lockit EnterCriticalSection 43081->43083 43088 6c8f69fc 43082->43088 43084 6c8f75df 43083->43084 43085 6c8f75f3 43084->43085 43086 6c8f750a __DllMainCRTStartup@12 42 API calls 43084->43086 43087 6c8f7616 __DllMainCRTStartup@12 LeaveCriticalSection 43085->43087 43086->43085 43087->43082 43089 6c8f6a1d 43088->43089 43090 6c8f6a08 43088->43090 43089->43029 43091 6c8e6bae __dosmaperr 14 API calls 43090->43091 43092 6c8f6a0d 43091->43092 43093 6c8e692f ___std_exception_copy 36 API calls 43092->43093 43094 6c8f6a18 43093->43094 43094->43029 43096 6c8e6968 43095->43096 43097 6c8e6733 std::locale::_Setgloballocale IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 43096->43097 43098 6c8e697d GetCurrentProcess TerminateProcess 43097->43098 43098->43033 43099->43017 43100->43046 43101->43020 43102->43046 43103->43046 43105 6c8f6a49 43104->43105 43106 6c8f6a34 43104->43106 43105->43034 43107 6c8e6bae __dosmaperr 14 API calls 43106->43107 43108 6c8f6a39 43107->43108 43109 6c8e692f ___std_exception_copy 36 API calls 43108->43109 43110 6c8f6a44 43109->43110 43110->43034 43112 6c8f6a75 43111->43112 43113 6c8f6a60 43111->43113 43112->43037 43114 6c8e6bae __dosmaperr 14 API calls 43113->43114 43115 6c8f6a65 43114->43115 43116 6c8e692f ___std_exception_copy 36 API calls 43115->43116 43117 6c8f6a70 43116->43117 43117->43037 43118->43046 43119->43046 43123 6c8e0873 43120->43123 43124 6c8e088c vswprintf 43123->43124 43127 6c8ed0a7 43124->43127 43128 6c8ed0bb vswprintf 43127->43128 43133 6c8e964f 43128->43133 43130 6c8ed0d6 43142 6c8e666b 43130->43142 43134 6c8e969e 43133->43134 43135 6c8e967b 43133->43135 43134->43135 43137 6c8e96a6 vswprintf 43134->43137 43136 6c8e68b2 __fread_nolock 24 API calls 43135->43136 43138 6c8e9693 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 43136->43138 43139 6c8ebab0 vswprintf 40 API calls 43137->43139 43138->43130 43140 6c8e9727 43139->43140 43141 6c8eb25e __fread_nolock 14 API calls 43140->43141 43141->43138 43143 6c8e6677 43142->43143 43144 6c8e668e 43143->43144 43145 6c8e6716 vswprintf 36 API calls 43143->43145 43146 6c8df174 GetPrivateProfileStringW 43144->43146 43147 6c8e6716 vswprintf 36 API calls 43144->43147 43145->43144 43146->42427 43147->43146 43149 6c8ed9af 43148->43149 43152 6c8ed87e 43149->43152 43153 6c8ed89b 43152->43153 43157 6c8e0406 GetNumberFormatW 43153->43157 43158 6c8e6bae 14 API calls __dosmaperr 43153->43158 43155 6c8ed901 43159 6c8e692f 36 API calls ___std_exception_copy 43155->43159 43157->42931 43158->43155 43159->43157 43161 6c8d866a __DllMainCRTStartup@12 43160->43161 43162 6c8da4b0 __DllMainCRTStartup@12 38 API calls 43161->43162 43163 6c8d8691 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43161->43163 43162->43163 43163->42779 43165 6c8da52a __DllMainCRTStartup@12 43164->43165 43168 6c8da5e5 43165->43168 43167 6c8d4a40 43167->41907 43169 6c8da64f 43168->43169 43171 6c8da605 __DllMainCRTStartup@12 43168->43171 43172 6c8d2260 43169->43172 43171->43167 43173 6c8d228a __DllMainCRTStartup@12 43172->43173 43175 6c8d2297 __DllMainCRTStartup@12 43173->43175 43180 6c8da468 38 API calls __DllMainCRTStartup@12 43173->43180 43176 6c8da4b0 __DllMainCRTStartup@12 38 API calls 43175->43176 43177 6c8d22da __DllMainCRTStartup@12 43176->43177 43179 6c8d233f __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z __DllMainCRTStartup@12 43177->43179 43181 6c8dab1f 36 API calls __DllMainCRTStartup@12 43177->43181 43179->43171 43180->43175 43181->43179 43182->42785 43196 6c8e8e57 43183->43196 43186 6c8e8efd 43188 6c8e8e3a 43186->43188 43208 6c8e8d88 43188->43208 43191 6c8f5b29 DeleteFileW 43192 6c8f5b4d 43191->43192 43193 6c8f5b3b GetLastError 43191->43193 43192->42798 43233 6c8e6b54 14 API calls __dosmaperr 43193->43233 43195 6c8f5b47 43195->42798 43197 6c8e8e6e 43196->43197 43198 6c8e8e75 43196->43198 43197->43186 43204 6c8f2cec 5 API calls std::_Locinfo::_Locinfo_dtor 43197->43204 43198->43197 43205 6c8f02dc 36 API calls 3 library calls 43198->43205 43200 6c8e8e96 43206 6c8f28cc 36 API calls __Getctype 43200->43206 43202 6c8e8eac 43207 6c8f292a 36 API calls __wsopen_s 43202->43207 43204->43186 43205->43200 43206->43202 43207->43197 43209 6c8e8d96 43208->43209 43210 6c8e8db0 43208->43210 43226 6c8e8f18 14 API calls ___free_lconv_mon 43209->43226 43212 6c8e8dd6 43210->43212 43213 6c8e8db7 43210->43213 43228 6c8f5aad MultiByteToWideChar 43212->43228 43225 6c8e8da0 43213->43225 43227 6c8e8f32 15 API calls __wsopen_s 43213->43227 43216 6c8e8dec GetLastError 43229 6c8e6b54 14 API calls __dosmaperr 43216->43229 43218 6c8e8de5 43218->43216 43219 6c8e8e12 43218->43219 43231 6c8e8f32 15 API calls __wsopen_s 43218->43231 43219->43225 43232 6c8f5aad MultiByteToWideChar 43219->43232 43220 6c8e8df8 43230 6c8e6bae 14 API calls __dosmaperr 43220->43230 43223 6c8e8e29 43223->43216 43223->43225 43225->42798 43225->43191 43226->43225 43227->43225 43228->43218 43229->43220 43230->43225 43231->43219 43232->43223 43233->43195 43234->42820 43236 6c8da5cd __DllMainCRTStartup@12 43235->43236 43237 6c8da5e5 __DllMainCRTStartup@12 38 API calls 43236->43237 43238 6c8d4a6f 43237->43238 43238->42240 43239 2de175f5 43260 2de1793e 43239->43260 43241 2de17601 GetStartupInfoA 43242 2de1762f InterlockedCompareExchange 43241->43242 43243 2de17641 43242->43243 43244 2de1763d 43242->43244 43246 2de17661 _amsg_exit 43243->43246 43247 2de1766b 43243->43247 43244->43243 43245 2de17648 Sleep 43244->43245 43245->43242 43248 2de17694 43246->43248 43247->43248 43249 2de17674 _initterm_e 43247->43249 43250 2de176a3 _initterm 43248->43250 43251 2de176be 43248->43251 43249->43248 43252 2de1768f __onexit 43249->43252 43250->43251 43253 2de176c2 InterlockedExchange 43251->43253 43254 2de176ca __IsNonwritableInCurrentImage 43251->43254 43253->43254 43255 2de17759 _ismbblead 43254->43255 43257 2de17743 exit 43254->43257 43258 2de1779e 43254->43258 43261 2de16528 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z 43254->43261 43255->43254 43257->43254 43258->43252 43259 2de177a7 _cexit 43258->43259 43259->43252 43260->43241 43301 2de171bb _setmbcp 43261->43301 43264 2de16596 43356 2de15923 10 API calls 3 library calls 43264->43356 43267 2de1659b 43268 2de165a4 free 43267->43268 43269 2de165af 43267->43269 43268->43269 43270 2de165bd 43269->43270 43357 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43269->43357 43272 2de165ce 43270->43272 43358 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43270->43358 43274 2de165df 43272->43274 43359 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43272->43359 43277 2de165f0 43274->43277 43360 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43274->43360 43275 2de1656d 43355 2de170d1 41 API calls Mailbox 43275->43355 43278 2de16601 43277->43278 43361 2de13008 ??3@YAXPAX ??_V@YAXPAX ??3@YAXPAX Mailbox 43277->43361 43362 2de1641b ??_V@YAXPAX ??3@YAXPAX __EH_prolog3 Mailbox ~_Task_impl 43278->43362 43282 2de1660f 43363 2de1641b ??_V@YAXPAX ??3@YAXPAX __EH_prolog3 Mailbox ~_Task_impl 43282->43363 43284 2de1661a 43364 2de166b3 ??3@YAXPAX __EH_prolog3 Mailbox ~_Task_impl 43284->43364 43286 2de16625 43286->43254 43302 2de171e3 43301->43302 43365 2de116d6 43302->43365 43304 2de17251 43305 2de16555 43304->43305 43306 2de1725a 43304->43306 43305->43275 43311 2de18244 43305->43311 43314 2de181f0 43305->43314 43317 2de1819e 43305->43317 43320 2de18254 43305->43320 43323 2de18234 43305->43323 43326 2de18217 43305->43326 43329 2de181d6 43305->43329 43332 2de181fd 43305->43332 43335 2de181bc 43305->43335 43338 2de181e3 43305->43338 43341 2de1820a 43305->43341 43344 2de18224 43305->43344 43347 2de181c9 43305->43347 43350 2de050c9 GetModuleHandleW 43305->43350 43379 2de15e3d 8 API calls __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 43306->43379 43308 2de1725f 43309 2de1726c 43308->43309 43380 2de11766 41 API calls 2 library calls 43308->43380 43309->43305 43312 2de181a0 43311->43312 43455 2de18a22 43312->43455 43316 2de181a0 43314->43316 43315 2de18a22 ___delayLoadHelper2@8 11 API calls 43315->43316 43316->43315 43318 2de181a0 43317->43318 43319 2de18a22 ___delayLoadHelper2@8 11 API calls 43318->43319 43319->43318 43321 2de181a0 43320->43321 43322 2de18a22 ___delayLoadHelper2@8 11 API calls 43321->43322 43322->43321 43325 2de181a0 43323->43325 43324 2de18a22 ___delayLoadHelper2@8 11 API calls 43324->43325 43325->43324 43327 2de181a0 43326->43327 43328 2de18a22 ___delayLoadHelper2@8 11 API calls 43327->43328 43328->43327 43330 2de181a0 43329->43330 43331 2de18a22 ___delayLoadHelper2@8 11 API calls 43330->43331 43331->43330 43333 2de181a0 43332->43333 43334 2de18a22 ___delayLoadHelper2@8 11 API calls 43333->43334 43334->43333 43336 2de181a0 43335->43336 43337 2de18a22 ___delayLoadHelper2@8 11 API calls 43336->43337 43337->43336 43339 2de181a0 43338->43339 43339->43338 43340 2de18a22 ___delayLoadHelper2@8 11 API calls 43339->43340 43340->43339 43343 2de181a0 43341->43343 43342 2de18a22 ___delayLoadHelper2@8 11 API calls 43342->43343 43343->43342 43345 2de181a0 43344->43345 43346 2de18a22 ___delayLoadHelper2@8 11 API calls 43345->43346 43346->43345 43348 2de181a0 43347->43348 43349 2de18a22 ___delayLoadHelper2@8 11 API calls 43348->43349 43349->43348 43351 2de05108 43350->43351 43352 2de050db GetProcAddress GetProcAddress 43350->43352 43351->43275 43352->43351 43353 2de050f9 43352->43353 43353->43351 43354 2de05104 SetProcessDEPPolicy 43353->43354 43354->43351 43355->43264 43356->43267 43357->43270 43358->43272 43359->43274 43360->43277 43361->43278 43362->43282 43363->43284 43364->43286 43381 2de179af 43365->43381 43367 2de116e2 GetClassInfoA 43368 2de116f9 43367->43368 43371 2de11704 ~_Task_impl 43367->43371 43382 2de10d75 43368->43382 43370 2de116ff 43370->43371 43389 2de189ba EnterCriticalSection 43370->43389 43371->43304 43373 2de11718 43390 2de137f9 10 API calls Mailbox 43373->43390 43375 2de11720 43391 2de13812 16 API calls Mailbox 43375->43391 43377 2de11750 43392 2de189d6 LeaveCriticalSection 43377->43392 43379->43308 43380->43309 43381->43367 43383 2de10d81 __onexit 43382->43383 43384 2de10d9e RegisterClassA 43383->43384 43393 2de03e45 43383->43393 43402 2de10dca 8 API calls Mailbox 43384->43402 43388 2de10dbc __onexit 43388->43370 43389->43373 43390->43375 43391->43377 43392->43371 43394 2de03e53 OutputDebugStringA 43393->43394 43395 2de03e5e 43393->43395 43394->43395 43396 2de03e73 43395->43396 43401 2de03e89 43395->43401 43403 2de03c77 43395->43403 43400 2de03e8e GetLastError 43396->43400 43427 2de03c05 43396->43427 43400->43401 43401->43384 43401->43388 43402->43388 43405 2de03c86 Mailbox 43403->43405 43404 2de03e2b 43443 2de1790d 7 API calls __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 43404->43443 43405->43404 43407 2de038b7 Mailbox 6 API calls 43405->43407 43409 2de03cba 43405->43409 43407->43409 43408 2de03e35 43408->43396 43409->43404 43425 2de03db4 43409->43425 43431 2de038b7 43409->43431 43411 2de03c05 Mailbox 6 API calls 43412 2de03ded 43411->43412 43412->43404 43438 2de03c51 43412->43438 43416 2de03d1d GetModuleFileNameW 43416->43404 43419 2de03d47 43416->43419 43417 2de03e18 LoadLibraryW 43418 2de03e1f 43417->43418 43442 2de03e38 6 API calls Mailbox 43418->43442 43421 2de03d5a 43419->43421 43422 2de03d4d SetLastError 43419->43422 43434 2de03bdc 43421->43434 43422->43404 43425->43404 43425->43411 43426 2de03da7 GetLastError 43426->43425 43428 2de03c11 43427->43428 43429 2de03c1b 43427->43429 43430 2de038b7 Mailbox 6 API calls 43428->43430 43429->43400 43429->43401 43430->43429 43444 2de0381e 43431->43444 43435 2de03bf2 43434->43435 43436 2de03be8 43434->43436 43435->43425 43435->43426 43437 2de038b7 Mailbox 6 API calls 43436->43437 43437->43435 43439 2de03c67 43438->43439 43440 2de03c5d 43438->43440 43439->43417 43439->43418 43441 2de038b7 Mailbox 6 API calls 43440->43441 43441->43439 43442->43404 43443->43408 43445 2de03862 43444->43445 43446 2de03837 GetVersion 43444->43446 43449 2de03871 GetProcAddress 43445->43449 43450 2de0387e 43445->43450 43447 2de03858 43446->43447 43448 2de0383d GetFileAttributesW GetModuleHandleA 43446->43448 43447->43445 43448->43447 43449->43450 43451 2de038ad 43449->43451 43452 2de038a4 GetProcAddress 43450->43452 43453 2de03888 GetVersion 43450->43453 43451->43404 43451->43416 43452->43451 43454 2de03891 43453->43454 43454->43451 43454->43452 43456 2de18a89 RaiseException 43455->43456 43457 2de18aa8 43455->43457 43460 2de18c36 43456->43460 43459 2de18aec 43457->43459 43475 2de05065 43457->43475 43458 2de18b15 LoadLibraryA 43461 2de18b65 InterlockedExchange 43458->43461 43462 2de18b24 GetLastError 43458->43462 43459->43458 43459->43460 43459->43461 43470 2de18ba0 43459->43470 43460->43312 43463 2de18b73 43461->43463 43464 2de18b99 FreeLibrary 43461->43464 43466 2de18b44 RaiseException 43462->43466 43467 2de18b36 43462->43467 43469 2de18b79 LocalAlloc 43463->43469 43463->43470 43464->43470 43465 2de18beb GetProcAddress 43465->43460 43468 2de18bfb GetLastError 43465->43468 43466->43460 43467->43461 43467->43466 43471 2de18c0d 43468->43471 43469->43470 43472 2de18b87 43469->43472 43470->43460 43470->43465 43471->43460 43473 2de18c1b KiUserExceptionDispatcher 43471->43473 43472->43470 43473->43460 43476 2de0507e 43475->43476 43480 2de0508a 43475->43480 43477 2de05027 lstrcmpiA 43476->43477 43477->43480 43478 2de050c0 43478->43459 43480->43478 43481 2de05027 lstrcmpiA 43480->43481 43482 2de0503c 43481->43482 43482->43480 43483 2de178b5 43487 2de174de GetModuleHandleW GetProcAddress 43483->43487 43485 2de178ba 43486 2de174de 10 API calls 43485->43486 43486->43485 43488 2de17513 6 API calls 43487->43488 43489 2de17504 GetProcessHeap 43487->43489 43490 2de17577 VirtualProtect 43488->43490 43491 2de1756d 43488->43491 43489->43488 43490->43485 43491->43490 43492 2de16019 43495 2de15fcc 43492->43495 43496 2de15fd5 KiUserCallbackDispatcher GetSystemMetrics 43495->43496 43497 2de15ffb GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 43495->43497 43496->43497 43498 2de19c6e GlobalAddAtomA

                        Executed Functions

                        Function 6C8D4F22 Relevance: 169.2, APIs: 48, Strings: 47, Instructions: 2972filesleepCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 6c8d4f22-6c8d50ac call 6c8e1e50 call 6c8d320c Sleep call 6c8de75b call 6c8d320c GetModuleFileNameA call 6c8d320c call 6c8db759 call 6c8dcafb call 6c8de75b call 6c8d320c call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 25 6c8d50ae-6c8d5124 CloseHandle Sleep call 6c8dcb90 call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 CloseHandle 0->25 26 6c8d5126-6c8d512c CloseHandle 0->26 28 6c8d5132-6c8d513f call 6c8d7e9f 25->28 26->28 34 6c8d5149-6c8d514c 28->34 36 6c8d514e-6c8d516f GetUserNameA call 6c8d320c 34->36 37 6c8d51c3-6c8d5346 call 6c8dea93 call 6c8de75b call 6c8d320c call 6c8d30d6 call 6c8d4a2e call 6c8de75b call 6c8d320c call 6c8d4a2e call 6c8d16a1 call 6c8d4a2e call 6c8d4149 call 6c8de75b call 6c8d320c call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 34->37 41 6c8d5174-6c8d517d call 6c8dba9b 36->41 84 6c8d5348-6c8d5363 ReadFile 37->84 85 6c8d5365-6c8d5378 37->85 50 6c8d517f-6c8d5189 41->50 51 6c8d518b 41->51 53 6c8d5192-6c8d51b2 call 6c8d4149 50->53 51->53 59 6c8d51b4 53->59 60 6c8d51b6-6c8d51c1 Sleep 53->60 59->37 60->34 86 6c8d538c-6c8d539f 84->86 87 6c8d537c call 6c8e1d63 85->87 88 6c8d537a 85->88 90 6c8d53a1 86->90 91 6c8d53a3 call 6c8e1d63 86->91 92 6c8d5381-6c8d5387 87->92 88->92 93 6c8d53a8-6c8d5853 CloseHandle call 6c8d320c * 2 call 6c8de75b call 6c8d320c call 6c8d15ca call 6c8da8f7 call 6c8e8f90 call 6c8d4149 Sleep call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b call 6c8d320c call 6c8de75b 90->93 91->93 92->86 181 6c8d585e-6c8d5861 93->181 182 6c8d5859 call 6c8d320c 93->182 183 6c8d5867-6c8d58b0 call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 181->183 184 6c8d7d13-6c8d7e68 call 6c8d4149 * 31 181->184 182->181 196 6c8d58b5-6c8d58bc 183->196 373 6c8d7e73-6c8d7e8c call 6c8e1e3e 184->373 374 6c8d7e6e call 6c8d4149 184->374 198 6c8d5a41-6c8d5e00 RpcStringBindingComposeA RpcBindingFromStringBindingA call 6c8d44b1 * 2 call 6c8d15ca call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8e47a0 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d326b call 6c8d30d6 call 6c8d7fae call 6c8d320c call 6c8db564 call 6c8da89f call 6c8d2881 call 6c8da495 call 6c8d3862 call 6c8da495 call 6c8d3862 call 6c8d320c * 2 call 6c8dba9b 196->198 199 6c8d58c2-6c8d58c9 196->199 355 6c8d5e06-6c8d5e1d call 6c8d46fe 198->355 356 6c8d5fc3-6c8d5fd0 call 6c8dc89e 198->356 199->198 202 6c8d58cf-6c8d5a3c call 6c8d4149 * 32 199->202 202->373 367 6c8d5eb0-6c8d5ebd call 6c8dba9b 355->367 368 6c8d5e23-6c8d5eab call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 355->368 369 6c8d7c2b-6c8d7c31 Sleep 356->369 370 6c8d5fd6-6c8d5ff7 call 6c8d4714 call 6c8d14f6 356->370 386 6c8d5fbe 367->386 387 6c8d5ec3-6c8d5fb3 call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8d44b1 * 2 call 6c8d4149 367->387 368->386 372 6c8d7c37-6c8d7ced call 6c8d4149 * 2 call 6c8d4218 * 2 call 6c8d4149 * 2 RpcStringFreeA 369->372 396 6c8d5ffd-6c8d60ae call 6c8d30d6 call 6c8da8f7 call 6c8e8f90 call 6c8da8f7 CreateFileA call 6c8d4714 call 6c8da8f7 WriteFile CloseHandle call 6c8d4714 call 6c8da8f7 call 6c8ed4f0 call 6c8d4149 370->396 397 6c8d60b3-6c8d60d4 call 6c8d4714 call 6c8d14f6 370->397 459 6c8d7cef-6c8d7cf5 call 6c8e6ee3 372->459 460 6c8d7cfa-6c8d7d01 372->460 374->373 387->386 533 6c8d5fb9 call 6c8d4149 387->533 489 6c8d7c1e-6c8d7c29 Sleep 396->489 429 6c8d60da-6c8d6211 call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 397->429 430 6c8d6361-6c8d6382 call 6c8d4714 call 6c8d14f6 397->430 660 6c8d6218-6c8d621b 429->660 461 6c8d6388-6c8d6396 call 6c8dc89e 430->461 462 6c8d72c2-6c8d72e3 call 6c8d4714 call 6c8d14f6 430->462 459->460 468 6c8d7d0e 460->468 469 6c8d7d03-6c8d7d09 call 6c8e6ee3 460->469 482 6c8d72bd 461->482 483 6c8d639c-6c8d63de call 6c8d4714 call 6c8d30d6 call 6c8d4714 call 6c8d30d6 call 6c8d320c 461->483 496 6c8d72e9-6c8d73a2 call 6c8e47a0 call 6c8d320c call 6c8d30d6 call 6c8d4a5d call 6c8d4714 call 6c8d4a2e call 6c8d4a5d call 6c8da495 call 6c8d4714 call 6c8d2e9d call 6c8d4676 462->496 497 6c8d7556-6c8d7577 call 6c8d4714 call 6c8d14f6 462->497 468->181 469->468 482->489 546 6c8d63e5-6c8d63fb call 6c8d46fe 483->546 489->372 634 6c8d73a8-6c8d7442 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 496->634 635 6c8d7447-6c8d74f0 call 6c8da8f7 WinExec call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 496->635 527 6c8d757d-6c8d75c9 call 6c8e47a0 call 6c8d320c call 6c8d4714 call 6c8dc9e5 497->527 528 6c8d7763-6c8d7784 call 6c8d4714 call 6c8d14f6 497->528 574 6c8d75cf-6c8d7679 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 527->574 575 6c8d767e-6c8d7713 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 527->575 528->489 554 6c8d778a-6c8d787a call 6c8d30d6 * 2 call 6c8d4714 call 6c8d16a1 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8da8f7 WinExec Sleep call 6c8d320c call 6c8da495 call 6c8d2e9d call 6c8d47d5 528->554 533->386 562 6c8d63fd-6c8d6414 call 6c8d46fe 546->562 563 6c8d6447-6c8d668d call 6c8d30d6 call 6c8d4714 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8e47a0 call 6c8d320c call 6c8d15ca call 6c8d1584 * 6 call 6c8d15a7 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8da8f7 call 6c8e792e 546->563 741 6c8d7880-6c8d7a5c call 6c8dc498 call 6c8ddada call 6c8d472f call 6c8dc498 call 6c8e1c33 call 6c8dc2be call 6c8d44b1 call 6c8daaa8 call 6c8d4a5d call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 554->741 742 6c8d7bf2-6c8d7c19 call 6c8d4a73 call 6c8d4149 * 3 554->742 584 6c8d6438-6c8d6445 562->584 585 6c8d6416-6c8d6433 call 6c8d46fe call 6c8d4a44 562->585 881 6c8d677f-6c8d6799 call 6c8d1516 563->881 882 6c8d6693-6c8d677a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 563->882 709 6c8d7718-6c8d775e call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 574->709 575->709 584->546 585->584 779 6c8d74f5-6c8d7551 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4a73 call 6c8d4149 * 2 634->779 635->779 667 6c8d6346-6c8d635c call 6c8d4149 * 2 660->667 668 6c8d6221-6c8d6228 660->668 667->489 676 6c8d622a-6c8d629b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 668->676 677 6c8d62a5-6c8d6341 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 668->677 676->667 677->660 709->489 916 6c8d7a63-6c8d7a66 741->916 742->489 779->489 890 6c8d679f-6c8d67b3 881->890 891 6c8d727b-6c8d72b8 call 6c8d4149 * 6 881->891 882->891 894 6c8d67b5-6c8d67bb 890->894 895 6c8d67c1-6c8d6834 call 6c8e47a0 call 6c8e1c33 * 2 890->895 891->482 894->895 923 6c8d683b-6c8d683e 895->923 921 6c8d7a6c-6c8d7a73 916->921 922 6c8d7b8a-6c8d7bbb call 6c8da8f7 call 6c8e8f90 call 6c8e1c3c 916->922 927 6c8d7ae9-6c8d7b85 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 921->927 928 6c8d7a75-6c8d7adf call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 921->928 963 6c8d7bbd-6c8d7bc4 922->963 964 6c8d7bc6-6c8d7bd6 922->964 930 6c8d6afd-6c8d6d2a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8ed4f0 call 6c8d320c call 6c8d4a0a call 6c8d4149 call 6c8ddbbe call 6c8d14f6 923->930 931 6c8d6844-6c8d6a0b call 6c8d320c call 6c8ddba9 call 6c8d15ca call 6c8d1584 * 4 call 6c8d15a7 call 6c8d156a call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae 923->931 927->916 928->922 1118 6c8d6d2c-6c8d6d44 call 6c8d1540 930->1118 1119 6c8d6d50-6c8d6d6a call 6c8d1516 930->1119 1091 6c8d6a1a-6c8d6a30 931->1091 970 6c8d7bdc-6c8d7bed call 6c8d4149 * 2 963->970 964->970 970->742 1093 6c8d6a5b-6c8d6a79 1091->1093 1094 6c8d6a32-6c8d6a59 1091->1094 1097 6c8d6a7b-6c8d6aa0 call 6c8d4149 * 2 1093->1097 1098 6c8d6aa4-6c8d6ab5 1093->1098 1094->1091 1097->930 1101 6c8d6ab7-6c8d6ac1 1098->1101 1102 6c8d6ac3-6c8d6acf 1098->1102 1105 6c8d6ad5-6c8d6af8 call 6c8d4149 * 2 1101->1105 1102->1105 1105->923 1118->1119 1124 6c8d6d46 1118->1124 1125 6c8d6ec7-6c8d6ee2 call 6c8da8f7 PathFileExistsA 1119->1125 1126 6c8d6d70-6c8d6d88 call 6c8d1540 1119->1126 1124->1119 1132 6c8d6f04-6c8d6f0b 1125->1132 1133 6c8d6ee4-6c8d6ef8 call 6c8da8f7 DeleteFileA 1125->1133 1126->1125 1131 6c8d6d8e-6c8d6ec2 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 1126->1131 1223 6c8d722a-6c8d7276 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 * 2 1131->1223 1136 6c8d717e-6c8d7225 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1132->1136 1137 6c8d6f11-6c8d6f8e call 6c8da8f7 CreateFileA WriteFile CloseHandle call 6c8d44b1 call 6c8da8f7 PathFileExistsA 1132->1137 1133->1132 1145 6c8d6efa 1133->1145 1136->1223 1158 6c8d6f94-6c8d702e call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1137->1158 1159 6c8d7033-6c8d703a 1137->1159 1145->1132 1252 6c8d7179 1158->1252 1164 6c8d70df-6c8d7174 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1159->1164 1165 6c8d7040-6c8d70da call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 1159->1165 1164->1252 1165->1252 1223->891 1252->1223
                        APIs
                        • Sleep.KERNELBASE(000003E8,58160781928836700431202065781531683322301950835055,528C51E4,?,?,?,?,?,?,6C8E4DE0,6C9118B0,000000FE,?,6C8D7E9A), ref: 6C8D4F76
                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?), ref: 6C8D4FD2
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,6C90438C,000000FF,?), ref: 6C8D508E
                        • CloseHandle.KERNEL32(?), ref: 6C8D50B4
                        • Sleep.KERNEL32(0000EA60), ref: 6C8D50BF
                          • Part of subcall function 6C8DCB90: CoInitializeEx.OLE32(00000000,00000000,?,74732E646174), ref: 6C8DCBA9
                        • CreateFileA.KERNEL32(00000000,?,?,?,80000000,00000000,00000000,00000001,00000080,00000000), ref: 6C8D5101
                        • CloseHandle.KERNEL32(?,?,?,?,80000000,00000000,00000000,00000001,00000080,00000000), ref: 6C8D511E
                        • CloseHandle.KERNELBASE(?), ref: 6C8D512C
                        • GetUserNameA.ADVAPI32(?,?), ref: 6C8D515C
                        • Sleep.KERNEL32(00000BB8,?), ref: 6C8D51BB
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,00000000,?,?,?,?,?,?), ref: 6C8D5328
                        • ReadFile.KERNEL32(?,?,0000000F,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 6C8D535D
                        • CloseHandle.KERNELBASE(?), ref: 6C8D53B9
                        • Sleep.KERNELBASE(?,?,?,?), ref: 6C8D5467
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • RpcStringBindingComposeA.RPCRT4(00000000,?,?,?,00000000,?), ref: 6C8D5BBF
                        • RpcBindingFromStringBindingA.RPCRT4(?,?), ref: 6C8D5BD8
                        • _strcat.LIBCMT ref: 6C8D5C8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleSleep$Binding$NameString$ComposeFromInitializeModuleReadUser_strcat
                        • String ID: ----$---------$2463616368652E646174$24746D702E747874$433A5C5C50726F6772616D446174615C5C$434D44$443$444C59$44574E$4552524F52$4552524F525245504C414345$48415348$4944$494E46$4E4554455252$4F4B$52554E$53495A45$53595354454D20494E464F524D4154494F4E205C6E$5645524946494544$58160781928836700431202065781531683322301950835055$5C6E5C6E205B50524F43455353204C4953545D205C6E$633A5C55736572735C5075626C69635C63722E646174$633A5C5C50726F6772616D446174615C5C24746D702E747874$636D642E657865202F6320$74732E646174$7C2A3F2928257D5E267B$<$>> $_$_$a$c$c$c$d$d$d$i$n$n$outlook-web.ddns.net$p$p$t$|$|-|
                        • API String ID: 163969156-3700135009
                        • Opcode ID: 9a064508f81a66c85862c914a9660877120f207e37f22351f348c349e1a342eb
                        • Instruction ID: 526b2a0a3c68c2dad3853101b2f59770ce03f1411d57ee0b4dcabdc85bdb5089
                        • Opcode Fuzzy Hash: 9a064508f81a66c85862c914a9660877120f207e37f22351f348c349e1a342eb
                        • Instruction Fuzzy Hash: 9D431C72D1022D9ADB35DB64CD91EDEB378AF54208F4109F6A589A2590EFB0A7CCCF50
                        Function 6C8DEA93 Relevance: 155.5, APIs: 25, Strings: 63, Instructions: 1459registryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1268 6c8dea93-6c8dead8 call 6c8e1e50 call 6c8d320c GetSystemDirectoryW 1273 6c8deb0c-6c8deb39 GetSystemInfo GetComputerNameW 1268->1273 1274 6c8deada-6c8deb07 call 6c8d4a5d call 6c8d3094 call 6c8d4149 1268->1274 1275 6c8deb3b-6c8deb4b call 6c8d4a5d 1273->1275 1276 6c8deb50-6c8debf4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8d4a5d call 6c8d4149 call 6c8d4162 1273->1276 1296 6c8e03d8-6c8e03e3 call 6c8e1e3e 1274->1296 1285 6c8debf9-6c8dec19 RegOpenKeyExW 1275->1285 1276->1285 1289 6c8dec4d-6c8ded4d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8d4a5d call 6c8e47a0 GetVersionExW GetModuleHandleA LoadStringW 1285->1289 1290 6c8dec1b-6c8dec48 call 6c8d4a5d call 6c8d3094 call 6c8d4149 1285->1290 1340 6c8dee08-6c8df2e1 call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e056b call 6c8e0479 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d RegCloseKey call 6c8e0834 GetPrivateProfileStringW call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d GetPrivateProfileStringW call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d 1289->1340 1341 6c8ded53-6c8dee03 wsprintfA call 6c8d4a5d * 3 wsprintfA call 6c8d4a5d * 2 wsprintfA call 6c8d4a5d * 2 1289->1341 1290->1296 1481 6c8df2f7-6c8df301 1340->1481 1482 6c8df2e3-6c8df2ea 1340->1482 1341->1340 1485 6c8df325-6c8df3c6 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d GetModuleHandleA LoadStringW 1481->1485 1483 6c8df2ec-6c8df2f3 1482->1483 1484 6c8df303-6c8df30d 1482->1484 1487 6c8df30f-6c8df319 1483->1487 1488 6c8df2f5-6c8df31b 1483->1488 1484->1485 1505 6c8df3c8-6c8df3de 1485->1505 1506 6c8df3f7-6c8df4b8 call 6c8e0834 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d 1485->1506 1487->1485 1488->1485 1507 6c8df3e0 1505->1507 1508 6c8df3e2 call 6c8e1d63 1505->1508 1530 6c8df4be-6c8df545 call 6c8e0834 * 2 call 6c8e05f9 1506->1530 1531 6c8df626-6c8df8d9 call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d GetLocaleInfoW 1506->1531 1510 6c8df3e7-6c8df3ef 1507->1510 1508->1510 1510->1506 1544 6c8df565-6c8df590 call 6c8e05f9 1530->1544 1545 6c8df547-6c8df55f 1530->1545 1632 6c8df8df-6c8df906 call 6c8e05f9 1531->1632 1633 6c8df9f7-6c8dfa1c call 6c8e05f9 1531->1633 1550 6c8df595-6c8df621 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1544->1550 1545->1544 1632->1633 1638 6c8df90c-6c8df929 call 6c8e0861 1632->1638 1639 6c8dfb50-6c8dfb7d GetTimeZoneInformation RegOpenKeyExW 1633->1639 1640 6c8dfa22-6c8dfa32 call 6c8ed20a 1633->1640 1652 6c8df95e-6c8df9f2 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1638->1652 1653 6c8df92b-6c8df958 SHLoadIndirectString 1638->1653 1643 6c8dfd08-6c8e0034 GlobalMemoryStatus call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 1639->1643 1644 6c8dfb83-6c8dfbd7 RegEnumKeyExW 1639->1644 1640->1639 1651 6c8dfa38-6c8dfa5f call 6c8e05f9 1640->1651 1818 6c8e003a-6c8e0041 1643->1818 1819 6c8e0143-6c8e015a NetGetJoinInformation 1643->1819 1649 6c8dfbdd-6c8dfc1a call 6c8e05f9 call 6c8ed81c 1644->1649 1650 6c8dfcfc-6c8dfd02 RegCloseKey 1644->1650 1672 6c8dfcf7 1649->1672 1673 6c8dfc20-6c8dfc3e call 6c8e05f9 1649->1673 1650->1643 1651->1639 1665 6c8dfa65-6c8dfa82 call 6c8e0861 1651->1665 1652->1633 1653->1652 1678 6c8dfa84-6c8dfab1 SHLoadIndirectString 1665->1678 1679 6c8dfab7-6c8dfb4b call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1665->1679 1672->1672 1682 6c8dfc43-6c8dfcdf call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1673->1682 1678->1679 1679->1639 1682->1650 1682->1672 1822 6c8e0050-6c8e0060 1818->1822 1820 6c8e0219-6c8e03d5 call 6c8d3094 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 1819->1820 1821 6c8e0160-6c8e0167 1819->1821 1820->1296 1824 6c8e0169-6c8e0170 1821->1824 1825 6c8e0176-6c8e0209 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1821->1825 1826 6c8e00aa-6c8e013e call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1822->1826 1827 6c8e0062-6c8e0073 1822->1827 1824->1825 1830 6c8e020e-6c8e0214 NetApiBufferFree 1824->1830 1825->1830 1826->1819 1832 6c8e00a8 1827->1832 1833 6c8e0075-6c8e008d 1827->1833 1830->1820 1832->1822 1838 6c8e008f 1833->1838 1839 6c8e0091 call 6c8e1d63 1833->1839 1840 6c8e0096-6c8e00a6 1838->1840 1839->1840 1840->1826
                        APIs
                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6C8DEAD0
                        • GetSystemInfo.KERNELBASE(?), ref: 6C8DEB13
                        • GetComputerNameW.KERNEL32(?,00000400), ref: 6C8DEB31
                        • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000101,?,6C904B84,00000000,?,?,?,?,?,?,?,6C8D51CF,?), ref: 6C8DEC11
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: System$ComputerDirectoryInfoNameOpen
                        • String ID: %s\oeminfo.ini$Available Physical Memory:$BIOS Date:$BIOSVENDOR$BIOSVENDOR:$BiosVersion:$Boot Device:$CurrentType$Display$Domain:$Error! GetComputerName failed.$Error! GetSystemDirectory failed.$Error! RegOpenKeyEx failed.$General$General$HARDWARE\DESCRIPTION\System$HARDWARE\DESCRIPTION\System$HARDWARE\DESCRIPTION\System\BIOS$HARDWARE\DESCRIPTION\System\CentralProcessor\%u$Host Name:$Identifier$Input Locale:$Install Date:$InstallDate$Keyboard Layout\Preload$MIME\Database\Rfc1766$MIME\Database\Rfc1766$Manufacturer$Model$OS Build Type :$OS Name:$OS Version :$Page File Location(s):$PagingFiles$Processor(s):$Product ID:$ProductId$ProductName$Registered Owner:$RegisteredOrganization$RegisteredOrganization:$RegisteredOwner$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones$SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management$SYSTEM\Setup$Std$System Locale:$System Manufacturer:$System Model:$System type:$SystemBiosDate$SystemBiosVersion$SystemPartition$Time zone:$To Be Filled By O.E.M.$To Be Filled By O.E.M.$Total Physical Memory:$VendorIdentifier$Virtual Memory: Available:$Virtual Memory: In Use:$Virtual Memory: Max Size:$[%02u]:
                        • API String ID: 1805411109-2676738833
                        • Opcode ID: fd8e017dd0dfc346139625e06b60c14464e8223b8f3f2d7a859e2438a6bb71e7
                        • Instruction ID: 629e078bff64b969d28ca8e44f8c79f723c35b7bed688229b81624331e52f29f
                        • Opcode Fuzzy Hash: fd8e017dd0dfc346139625e06b60c14464e8223b8f3f2d7a859e2438a6bb71e7
                        • Instruction Fuzzy Hash: 51D2F9719000699ACB35EB54CE90EDDB379EF65308F4109F9A10AB2960EF31AF99DF50
                        Function 6C8DE49B Relevance: 54.3, APIs: 16, Strings: 15, Instructions: 73libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1953 6c8de49b-6c8de4a9 1954 6c8de4ab 1953->1954 1955 6c8de4b0 call 6c8d7e8d 1953->1955 1957 6c8de5ff-6c8de603 1954->1957 1958 6c8de4b5-6c8de5fa GetProcAddress * 15 1955->1958 1958->1957
                        APIs
                        • ?GetFileVersionInfoByHandleEx@@YGHXZ.OLMAPI32(?,?,6C8E2118,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6C911EC0,0000000C,00000007,6C911E98), ref: 6C8DE4B0
                        • GetProcAddress.KERNEL32(GetFileVersionInfoA), ref: 6C8DE4C0
                        • GetProcAddress.KERNEL32(GetFileVersionInfoByHandle), ref: 6C8DE4D6
                        • GetProcAddress.KERNEL32(GetFileVersionInfoExW), ref: 6C8DE4EC
                        • GetProcAddress.KERNEL32(GetFileVersionInfoSizeA), ref: 6C8DE502
                        • GetProcAddress.KERNEL32(GetFileVersionInfoSizeExW), ref: 6C8DE518
                        • GetProcAddress.KERNEL32(GetFileVersionInfoSizeW), ref: 6C8DE52E
                        • GetProcAddress.KERNEL32(GetFileVersionInfoW), ref: 6C8DE544
                        • GetProcAddress.KERNEL32(VerFindFileA), ref: 6C8DE55A
                        • GetProcAddress.KERNEL32(VerFindFileW), ref: 6C8DE570
                        • GetProcAddress.KERNEL32(VerInstallFileA), ref: 6C8DE586
                        • GetProcAddress.KERNEL32(VerInstallFileW), ref: 6C8DE59C
                        • GetProcAddress.KERNEL32(VerLanguageNameA), ref: 6C8DE5B2
                        • GetProcAddress.KERNEL32(VerLanguageNameW), ref: 6C8DE5C8
                        • GetProcAddress.KERNEL32(VerQueryValueA), ref: 6C8DE5DE
                        • GetProcAddress.KERNEL32(VerQueryValueW), ref: 6C8DE5F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$Ex@@FileHandleInfoVersion
                        • String ID: GetFileVersionInfoA$GetFileVersionInfoByHandle$GetFileVersionInfoExW$GetFileVersionInfoSizeA$GetFileVersionInfoSizeExW$GetFileVersionInfoSizeW$GetFileVersionInfoW$VerFindFileA$VerFindFileW$VerInstallFileA$VerInstallFileW$VerLanguageNameA$VerLanguageNameW$VerQueryValueA$VerQueryValueW
                        • API String ID: 3596192317-236624654
                        • Opcode ID: f072896a3b02348bb7a272fdb9553e8c93e0909353785a1f3a2cbfd6befbd3db
                        • Instruction ID: e53535ee521f09cf2b35ecded4f048107fcc1d63a5eaadbc3567a4ebcff32684
                        • Opcode Fuzzy Hash: f072896a3b02348bb7a272fdb9553e8c93e0909353785a1f3a2cbfd6befbd3db
                        • Instruction Fuzzy Hash: 7231207471A924EFDF217FA0CA088263FB5F767742321062DB909A6620E7315A20FF48
                        Function 6C8DFB96 Relevance: 30.2, APIs: 5, Strings: 12, Instructions: 457registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1959 6c8dfb96-6c8dfbd7 RegEnumKeyExW 1961 6c8dfbdd-6c8dfc1a call 6c8e05f9 call 6c8ed81c 1959->1961 1962 6c8dfcfc-6c8e0034 RegCloseKey GlobalMemoryStatus call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e03e4 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8e05f9 1959->1962 1972 6c8dfcf7 1961->1972 1973 6c8dfc20-6c8dfcdf call 6c8e05f9 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 1961->1973 2084 6c8e003a-6c8e0041 1962->2084 2085 6c8e0143-6c8e015a NetGetJoinInformation 1962->2085 1972->1972 1973->1962 1973->1972 2088 6c8e0050-6c8e0060 2084->2088 2086 6c8e0219-6c8e03e3 call 6c8d3094 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8d4162 call 6c8d4149 call 6c8e1e3e 2085->2086 2087 6c8e0160-6c8e0167 2085->2087 2090 6c8e0169-6c8e0170 2087->2090 2091 6c8e0176-6c8e0209 call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 2087->2091 2092 6c8e00aa-6c8e013e call 6c8d36c1 call 6c8d2e68 call 6c8e0781 call 6c8e0751 call 6c8de818 call 6c8d4a5d call 6c8d4a2e call 6c8d4a5d call 6c8d4149 call 6c8d4162 2088->2092 2093 6c8e0062-6c8e0073 2088->2093 2090->2091 2096 6c8e020e-6c8e0214 NetApiBufferFree 2090->2096 2091->2096 2092->2085 2098 6c8e00a8 2093->2098 2099 6c8e0075-6c8e008d 2093->2099 2096->2086 2098->2088 2104 6c8e008f 2099->2104 2105 6c8e0091 call 6c8e1d63 2099->2105 2106 6c8e0096-6c8e00a6 2104->2106 2105->2106 2106->2092
                        APIs
                        • RegEnumKeyExW.KERNELBASE(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 6C8DFBCF
                        • RegCloseKey.ADVAPI32(?), ref: 6C8DFD02
                        • GlobalMemoryStatus.KERNEL32(?), ref: 6C8DFD0F
                          • Part of subcall function 6C8E05F9: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000101,?,?,00000000), ref: 6C8E062C
                          • Part of subcall function 6C8E05F9: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000), ref: 6C8E0650
                          • Part of subcall function 6C8E05F9: RegCloseKey.KERNELBASE(00000006), ref: 6C8E0689
                          • Part of subcall function 6C8E03E4: GetNumberFormatW.KERNEL32(00000800,00000000,?,00000000,?,000003FD), ref: 6C8E0441
                        • NetGetJoinInformation.NETAPI32(00000000,?,?,?,00000000,?,00000000,?), ref: 6C8E0153
                        • NetApiBufferFree.NETAPI32(?,6C905408,?,Domain:,00000000,?,00000000,?,00000000,?), ref: 6C8E0214
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Close$BufferEnumFormatFreeGlobalInformationJoinMemoryNumberOpenQueryStatusValue
                        • String ID: Available Physical Memory:$Display$Domain:$Page File Location(s):$PagingFiles$SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management$Std$Time zone:$Total Physical Memory:$Virtual Memory: Available:$Virtual Memory: In Use:$Virtual Memory: Max Size:
                        • API String ID: 369352865-1736252339
                        • Opcode ID: f569cd222b59f05cfcfec16784d3243669aa6de6b15faf39224c1d438dd23949
                        • Instruction ID: c043fef11c118bd54a1e68b5ad4d18ade83cf3639b0c8c706722672764f93f81
                        • Opcode Fuzzy Hash: f569cd222b59f05cfcfec16784d3243669aa6de6b15faf39224c1d438dd23949
                        • Instruction Fuzzy Hash: E212FC318110699ACF35EB68CE90DDDB379AF95348F4109F9A10AA2960EF306F9DDF50
                        Function 2DE174DE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 61memorylibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleHandleW.KERNEL32(kernel32.dll,HeapSetInformation), ref: 2DE174F1
                        • GetProcAddress.KERNEL32(00000000), ref: 2DE174F8
                        • GetProcessHeap.KERNEL32(00000001,00000000,00000000), ref: 2DE1750A
                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 2DE17517
                        • GetCurrentProcessId.KERNEL32 ref: 2DE17523
                        • GetCurrentThreadId.KERNEL32 ref: 2DE1752B
                        • GetTickCount.KERNEL32 ref: 2DE17533
                        • QueryPerformanceCounter.KERNEL32(?), ref: 2DE1753F
                        • VirtualProtect.KERNELBASE(2DE032CC,00000004,00000040,?), ref: 2DE17561
                        • VirtualProtect.KERNELBASE(2DE032CC,00000004,?,?), ref: 2DE17581
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectTimeVirtual$AddressCountCounterFileHandleHeapModulePerformanceProcQuerySystemThreadTick
                        • String ID: HeapSetInformation$kernel32.dll
                        • API String ID: 2966426798-3597996958
                        • Opcode ID: 5ac41d8e3d28cc468847c5eea9df34e449443920141bdb95cdfff572bc11dd1b
                        • Instruction ID: abf493660a71ce8ec7c99d90046e81815dfaf38e62c8f3643371ce2a7650bd3f
                        • Opcode Fuzzy Hash: 5ac41d8e3d28cc468847c5eea9df34e449443920141bdb95cdfff572bc11dd1b
                        • Instruction Fuzzy Hash: 261121B7D00214ABC710ABB0CC49B9E77F8AB08B56F420551FA42FB241DA75DA01CBA4
                        Function 2DE03C77 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2227 2de03c77-2de03c94 call 2de178c5 2230 2de03c9a-2de03ca1 2227->2230 2231 2de03e2b-2de03e2d 2227->2231 2230->2231 2232 2de03ca7-2de03cae 2230->2232 2233 2de03e2e-2de03e35 call 2de1790d 2231->2233 2234 2de03cb0-2de03cc1 call 2de038b7 2232->2234 2235 2de03cc7-2de03ce3 2232->2235 2234->2233 2234->2235 2235->2233 2241 2de03ce9-2de03cf1 2235->2241 2242 2de03cf7-2de03d03 call 2de038b7 2241->2242 2243 2de03ddb-2de03def call 2de03c05 2241->2243 2242->2233 2248 2de03d09-2de03d17 2242->2248 2243->2231 2249 2de03df1-2de03e16 call 2de03c51 2243->2249 2248->2233 2253 2de03d1d-2de03d41 GetModuleFileNameW 2248->2253 2254 2de03e18-2de03e19 LoadLibraryW 2249->2254 2255 2de03e1f-2de03e26 call 2de03e38 2249->2255 2253->2233 2256 2de03d47-2de03d4b 2253->2256 2254->2255 2255->2231 2258 2de03d5a-2de03d97 call 2de03bdc 2256->2258 2259 2de03d4d-2de03d55 SetLastError 2256->2259 2261 2de03d9c-2de03da5 2258->2261 2259->2233 2262 2de03dd1 2261->2262 2263 2de03da7-2de03db2 GetLastError 2261->2263 2262->2243 2264 2de03db4-2de03db9 2263->2264 2265 2de03dc9-2de03dcb 2263->2265 2264->2265 2266 2de03dbb-2de03dc0 2264->2266 2265->2262 2266->2265 2267 2de03dc2-2de03dc7 2266->2267 2267->2233 2267->2265
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 2DE03D39
                        • SetLastError.KERNEL32(0000006F), ref: 2DE03D4F
                        • GetLastError.KERNEL32 ref: 2DE03DA7
                        • LoadLibraryW.KERNELBASE(Comctl32.dll), ref: 2DE03E19
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$FileLibraryLoadModuleName
                        • String ID: $@$Comctl32.dll$GetModuleHandleExW$QueryActCtxW
                        • API String ID: 2178654626-2626125606
                        • Opcode ID: 97e74fdcb0b57d66c85690f563f94ca4b38ed0024d4d6e5f46bb0ac998f6ff87
                        • Instruction ID: 4a448aeae9a162b8c916a73a19ce401ab2f0d65dcee8bd01de611009da70ed5a
                        • Opcode Fuzzy Hash: 97e74fdcb0b57d66c85690f563f94ca4b38ed0024d4d6e5f46bb0ac998f6ff87
                        • Instruction Fuzzy Hash: A741C3319093249ADB609B65CC88BED77B4EF94B16F100399E249F6190DF788A81CF55
                        Function 6C8D7E9F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67processCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C8D7EB6
                        • Process32First.KERNEL32(000000FF,00000128), ref: 6C8D7EF6
                        • CloseHandle.KERNEL32(000000FF,00000002,00000000), ref: 6C8D7F05
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                        • String ID: ERROR$ERROR
                        • API String ID: 1083639309-2579291623
                        • Opcode ID: a95d703a53c0c058863904cc0947bf2bcfc29bfc1955ab9b1c5f65cfe8e3dd9b
                        • Instruction ID: 7697f07892553eb9d7a520f610ebe72598f5d72a68a11f534e12970435c0934a
                        • Opcode Fuzzy Hash: a95d703a53c0c058863904cc0947bf2bcfc29bfc1955ab9b1c5f65cfe8e3dd9b
                        • Instruction Fuzzy Hash: 4F212F30A00218EBCB34DF65DE40BDD7774AF59305F1149B8A519A6AA0DB30AE89CF40
                        Function 6C8EDA0B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2291 6c8eda0b-6c8eda19 2292 6c8eda2e-6c8eda3e 2291->2292 2293 6c8eda1b-6c8eda2c call 6c8e6bae call 6c8e692f 2291->2293 2295 6c8eda53-6c8eda59 2292->2295 2296 6c8eda40-6c8eda51 call 6c8e6bae call 6c8e692f 2292->2296 2313 6c8eda81-6c8eda83 2293->2313 2299 6c8eda5b 2295->2299 2300 6c8eda61-6c8eda67 2295->2300 2318 6c8eda80 2296->2318 2303 6c8eda5d-6c8eda5f 2299->2303 2304 6c8eda73-6c8eda7d call 6c8e6bae 2299->2304 2305 6c8eda69 2300->2305 2306 6c8eda84-6c8eda9e call 6c8f75c2 call 6c8f69fc 2300->2306 2303->2300 2303->2304 2316 6c8eda7f 2304->2316 2305->2304 2307 6c8eda6b-6c8eda71 2305->2307 2320 6c8edc8f-6c8edca9 call 6c8e695c call 6c8f6cbd 2306->2320 2321 6c8edaa4-6c8edab0 call 6c8f6a28 2306->2321 2307->2304 2307->2306 2316->2318 2318->2313 2333 6c8edcbe-6c8edcc0 2320->2333 2334 6c8edcab-6c8edcaf call 6c8eda0b 2320->2334 2321->2320 2327 6c8edab6-6c8edac2 call 6c8f6a54 2321->2327 2327->2320 2332 6c8edac8-6c8edadd 2327->2332 2335 6c8edadf 2332->2335 2336 6c8edb4d-6c8edb58 call 6c8f6cfb 2332->2336 2341 6c8edcb4-6c8edcbc 2334->2341 2339 6c8edae9-6c8edb05 call 6c8f6cfb 2335->2339 2340 6c8edae1-6c8edae7 2335->2340 2336->2316 2344 6c8edb5e-6c8edb69 2336->2344 2339->2316 2348 6c8edb0b-6c8edb0e 2339->2348 2340->2336 2340->2339 2341->2333 2346 6c8edb6b-6c8edb74 call 6c8f761f 2344->2346 2347 6c8edb85 2344->2347 2346->2347 2356 6c8edb76-6c8edb83 2346->2356 2350 6c8edb88-6c8edb9c call 6c902fb0 2347->2350 2351 6c8edc88-6c8edc8a 2348->2351 2352 6c8edb14-6c8edb1d call 6c8f761f 2348->2352 2359 6c8edb9e-6c8edba6 2350->2359 2360 6c8edba9-6c8edbd0 call 6c902f00 call 6c902fb0 2350->2360 2351->2316 2352->2351 2361 6c8edb23-6c8edb3b call 6c8f6cfb 2352->2361 2356->2350 2359->2360 2369 6c8edbde-6c8edc05 call 6c902f00 call 6c902fb0 2360->2369 2370 6c8edbd2-6c8edbdb 2360->2370 2361->2316 2367 6c8edb41-6c8edb48 2361->2367 2367->2351 2375 6c8edc07-6c8edc10 2369->2375 2376 6c8edc13-6c8edc22 call 6c902f00 2369->2376 2370->2369 2375->2376 2379 6c8edc4a-6c8edc68 2376->2379 2380 6c8edc24 2376->2380 2381 6c8edc6a-6c8edc83 2379->2381 2382 6c8edc85 2379->2382 2383 6c8edc2a-6c8edc3e 2380->2383 2384 6c8edc26-6c8edc28 2380->2384 2381->2351 2382->2351 2383->2351 2384->2383 2385 6c8edc40-6c8edc42 2384->2385 2385->2351 2386 6c8edc44 2385->2386 2386->2379 2387 6c8edc46-6c8edc48 2386->2387 2387->2351 2387->2379
                        APIs
                        • __allrem.LIBCMT ref: 6C8EDB93
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8EDBAF
                        • __allrem.LIBCMT ref: 6C8EDBC6
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8EDBE4
                        • __allrem.LIBCMT ref: 6C8EDBFB
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8EDC19
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID: 74732E646174
                        • API String ID: 1992179935-138923103
                        • Opcode ID: 94d0e94a8f46061bbfe044791ce4e181156ba776a5c7f4a890ea9cae3aa4525e
                        • Instruction ID: 72014c4ff83479da2e2638c78fcae1d52f8342a43993aab490f89b544408e354
                        • Opcode Fuzzy Hash: 94d0e94a8f46061bbfe044791ce4e181156ba776a5c7f4a890ea9cae3aa4525e
                        • Instruction Fuzzy Hash: FE812B716007159BE3309E6CCE40B9A73A9DFCA7A8F148A3FE510D7B80EB70DA098750
                        Function 2DE050C9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2388 2de050c9-2de050d9 GetModuleHandleW 2389 2de0510a-2de0510b 2388->2389 2390 2de050db-2de050f7 GetProcAddress * 2 2388->2390 2391 2de05108-2de05109 2390->2391 2392 2de050f9-2de050fe 2390->2392 2391->2389 2392->2391 2394 2de05100-2de05102 2392->2394 2394->2391 2395 2de05104-2de05106 SetProcessDEPPolicy 2394->2395 2395->2391
                        APIs
                        • GetModuleHandleW.KERNEL32(KERNEL32), ref: 2DE050CF
                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 2DE050E9
                        • GetProcAddress.KERNEL32(00000000,GetSystemDEPPolicy), ref: 2DE050F3
                        • SetProcessDEPPolicy.KERNEL32(00000001), ref: 2DE05106
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModulePolicyProcess
                        • String ID: GetSystemDEPPolicy$KERNEL32$SetProcessDEPPolicy
                        • API String ID: 3256987805-2000083379
                        • Opcode ID: 65ded2f1829e9e66ef7d8077a9ecd5e414f64ba099834ed8ba9d74fbec52d4cf
                        • Instruction ID: f2df36c6b64b63516e6bc1c9e43c0d7bd62a94cfa4d811259a97d2892a6e7fee
                        • Opcode Fuzzy Hash: 65ded2f1829e9e66ef7d8077a9ecd5e414f64ba099834ed8ba9d74fbec52d4cf
                        • Instruction Fuzzy Hash: 91E08C32605B113AD60062F95CC4FBB6AF89FE99ABB100526FA01F620ACE95D411C5A2
                        Function 6C8E1FF8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2396 6c8e1ff8-6c8e200b call 6c8e2890 2399 6c8e200d-6c8e200f 2396->2399 2400 6c8e2011-6c8e2033 call 6c8e2245 2396->2400 2401 6c8e207a-6c8e2089 2399->2401 2404 6c8e2035-6c8e2078 call 6c8e2310 call 6c8e26d6 call 6c8e285a call 6c8e208d call 6c8e24b1 call 6c8e209a 2400->2404 2405 6c8e20a0-6c8e20b9 call 6c8e270b call 6c8e2890 2400->2405 2404->2401 2416 6c8e20ca-6c8e20d1 2405->2416 2417 6c8e20bb-6c8e20c1 2405->2417 2420 6c8e20dd-6c8e20f1 dllmain_raw 2416->2420 2421 6c8e20d3-6c8e20d6 2416->2421 2417->2416 2419 6c8e20c3-6c8e20c5 2417->2419 2423 6c8e21a3-6c8e21b2 2419->2423 2426 6c8e219a-6c8e21a1 2420->2426 2427 6c8e20f7-6c8e2108 dllmain_crt_dispatch 2420->2427 2421->2420 2424 6c8e20d8-6c8e20db 2421->2424 2428 6c8e210e-6c8e2113 call 6c8de49b 2424->2428 2426->2423 2427->2426 2427->2428 2433 6c8e2118-6c8e2120 2428->2433 2435 6c8e2149-6c8e214b 2433->2435 2436 6c8e2122-6c8e2124 2433->2436 2437 6c8e214d-6c8e2150 2435->2437 2438 6c8e2152-6c8e2163 dllmain_crt_dispatch 2435->2438 2436->2435 2439 6c8e2126-6c8e2144 call 6c8de49b call 6c8e1ff8 dllmain_raw 2436->2439 2437->2426 2437->2438 2438->2426 2440 6c8e2165-6c8e2197 dllmain_raw 2438->2440 2439->2435 2440->2426
                        APIs
                        • __RTC_Initialize.LIBCMT ref: 6C8E203F
                        • ___scrt_uninitialize_crt.LIBCMT ref: 6C8E2059
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Initialize___scrt_uninitialize_crt
                        • String ID:
                        • API String ID: 2442719207-0
                        • Opcode ID: d30657f23192f3f9fabb32c9287ee10b359f23dffd83b2fd9d414469b4c6306f
                        • Instruction ID: 7808d35ea3dd8998f4e9cd21bbd1eaa33e8ba8573b4c57d838a6f62d78f2d2d3
                        • Opcode Fuzzy Hash: d30657f23192f3f9fabb32c9287ee10b359f23dffd83b2fd9d414469b4c6306f
                        • Instruction Fuzzy Hash: 7E41EA72D0462AEBDB309F59CE08B9E7B75FB4B768F104D25E81967B40C7389A05CB90
                        Function 2DE16528 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2446 2de16528-2de16559 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z call 2de171bb 2449 2de16591-2de165a2 call 2de170d1 call 2de15923 2446->2449 2450 2de1655b-2de16564 2446->2450 2457 2de165a4-2de165ac free 2449->2457 2458 2de165af-2de165b4 2449->2458 2450->2449 2455 2de16566-2de16568 2450->2455 2487 2de1656a call 2de181e3 2455->2487 2488 2de1656a call 2de18244 2455->2488 2489 2de1656a call 2de18224 2455->2489 2490 2de1656a call 2de181c9 2455->2490 2491 2de1656a call 2de050c9 2455->2491 2492 2de1656a call 2de1820a 2455->2492 2493 2de1656a call 2de181f0 2455->2493 2494 2de1656a call 2de18254 2455->2494 2495 2de1656a call 2de18234 2455->2495 2496 2de1656a call 2de18217 2455->2496 2497 2de1656a call 2de181d6 2455->2497 2498 2de1656a call 2de181fd 2455->2498 2499 2de1656a call 2de181bc 2455->2499 2500 2de1656a call 2de1819e 2455->2500 2457->2458 2460 2de165b6-2de165b8 call 2de13008 2458->2460 2461 2de165bd-2de165c5 2458->2461 2459 2de1656d-2de1656f 2462 2de16571-2de16574 2459->2462 2463 2de16587-2de16589 2459->2463 2460->2461 2467 2de165c7-2de165c9 call 2de13008 2461->2467 2468 2de165ce-2de165d6 2461->2468 2465 2de16576-2de16579 2462->2465 2466 2de1657e-2de16585 2462->2466 2472 2de1658e 2463->2472 2465->2466 2466->2472 2467->2468 2470 2de165d8-2de165da call 2de13008 2468->2470 2471 2de165df-2de165e7 2468->2471 2470->2471 2475 2de165f0-2de165f8 2471->2475 2476 2de165e9-2de165eb call 2de13008 2471->2476 2472->2449 2477 2de16601-2de1662b call 2de1641b * 2 call 2de166b3 2475->2477 2478 2de165fa-2de165fc call 2de13008 2475->2478 2476->2475 2478->2477 2487->2459 2488->2459 2489->2459 2490->2459 2491->2459 2492->2459 2493->2459 2494->2459 2495->2459 2496->2459 2497->2459 2498->2459 2499->2459 2500->2459
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Mailbox$?_set_new_handler@@_setmbcpfree
                        • String ID:
                        • API String ID: 2556944153-0
                        • Opcode ID: 6af910436fbf5c720a7919511e3d48fdfbc5420c8bf4f35e033a9d1fa9ecf0ad
                        • Instruction ID: df05ffe40137f81d467fc9d5efd219c420521f51f37c70c22b2472e2ec13b6fc
                        • Opcode Fuzzy Hash: 6af910436fbf5c720a7919511e3d48fdfbc5420c8bf4f35e033a9d1fa9ecf0ad
                        • Instruction Fuzzy Hash: 963135B0300A009BCB259F68C450A6EBBF2FF98710F104A1CE686B7694DF32ED41CB90
                        Function 6C8D7AE4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195sleepfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2501 6c8d7ae4 2502 6c8d7b85 2501->2502 2503 6c8d7a63-6c8d7a66 2502->2503 2504 6c8d7a6c-6c8d7a73 2503->2504 2505 6c8d7b8a-6c8d7bbb call 6c8da8f7 call 6c8e8f90 call 6c8e1c3c 2503->2505 2507 6c8d7ae9-6c8d7b7f call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 2504->2507 2508 6c8d7a75-6c8d7adf call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 2504->2508 2525 6c8d7bbd-6c8d7bc4 2505->2525 2526 6c8d7bc6-6c8d7bd6 2505->2526 2507->2502 2508->2505 2529 6c8d7bdc-6c8d7bed call 6c8d4149 * 2 2525->2529 2526->2529 2541 6c8d7bf2-6c8d7c19 call 6c8d4a73 call 6c8d4149 * 3 2529->2541 2554 6c8d7c1e-6c8d7c29 Sleep 2541->2554 2555 6c8d7c37-6c8d7ced call 6c8d4149 * 2 call 6c8d4218 * 2 call 6c8d4149 * 2 RpcStringFreeA 2554->2555 2569 6c8d7cef-6c8d7cf5 call 6c8e6ee3 2555->2569 2570 6c8d7cfa-6c8d7d01 2555->2570 2569->2570 2572 6c8d7d0e 2570->2572 2573 6c8d7d03-6c8d7d09 call 6c8e6ee3 2570->2573 2576 6c8d5867-6c8d58bc call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 2572->2576 2577 6c8d7d13-6c8d7e68 call 6c8d4149 * 31 2572->2577 2573->2572 2591 6c8d5a41-6c8d5e00 RpcStringBindingComposeA RpcBindingFromStringBindingA call 6c8d44b1 * 2 call 6c8d15ca call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8e47a0 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d326b call 6c8d30d6 call 6c8d7fae call 6c8d320c call 6c8db564 call 6c8da89f call 6c8d2881 call 6c8da495 call 6c8d3862 call 6c8da495 call 6c8d3862 call 6c8d320c * 2 call 6c8dba9b 2576->2591 2592 6c8d58c2-6c8d58c9 2576->2592 2765 6c8d7e73-6c8d7e8c call 6c8e1e3e 2577->2765 2766 6c8d7e6e call 6c8d4149 2577->2766 2748 6c8d5e06-6c8d5e1d call 6c8d46fe 2591->2748 2749 6c8d5fc3-6c8d5fd0 call 6c8dc89e 2591->2749 2592->2591 2595 6c8d58cf-6c8d5a3c call 6c8d4149 * 32 2592->2595 2595->2765 2760 6c8d5eb0-6c8d5ebd call 6c8dba9b 2748->2760 2761 6c8d5e23-6c8d5eab call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 2748->2761 2762 6c8d7c2b-6c8d7c31 Sleep 2749->2762 2763 6c8d5fd6-6c8d5ff7 call 6c8d4714 call 6c8d14f6 2749->2763 2777 6c8d5fbe 2760->2777 2778 6c8d5ec3-6c8d5fb3 call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8d44b1 * 2 call 6c8d4149 2760->2778 2761->2777 2762->2555 2785 6c8d5ffd-6c8d60ae call 6c8d30d6 call 6c8da8f7 call 6c8e8f90 call 6c8da8f7 CreateFileA call 6c8d4714 call 6c8da8f7 WriteFile CloseHandle call 6c8d4714 call 6c8da8f7 call 6c8ed4f0 call 6c8d4149 2763->2785 2786 6c8d60b3-6c8d60d4 call 6c8d4714 call 6c8d14f6 2763->2786 2766->2765 2778->2777 2905 6c8d5fb9 call 6c8d4149 2778->2905 2785->2554 2813 6c8d60da-6c8d6211 call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 2786->2813 2814 6c8d6361-6c8d6382 call 6c8d4714 call 6c8d14f6 2786->2814 3032 6c8d6218-6c8d621b 2813->3032 2838 6c8d6388-6c8d6396 call 6c8dc89e 2814->2838 2839 6c8d72c2-6c8d72e3 call 6c8d4714 call 6c8d14f6 2814->2839 2855 6c8d72bd 2838->2855 2856 6c8d639c-6c8d63de call 6c8d4714 call 6c8d30d6 call 6c8d4714 call 6c8d30d6 call 6c8d320c 2838->2856 2868 6c8d72e9-6c8d73a2 call 6c8e47a0 call 6c8d320c call 6c8d30d6 call 6c8d4a5d call 6c8d4714 call 6c8d4a2e call 6c8d4a5d call 6c8da495 call 6c8d4714 call 6c8d2e9d call 6c8d4676 2839->2868 2869 6c8d7556-6c8d7577 call 6c8d4714 call 6c8d14f6 2839->2869 2855->2554 2918 6c8d63e5-6c8d63fb call 6c8d46fe 2856->2918 3006 6c8d73a8-6c8d7442 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 2868->3006 3007 6c8d7447-6c8d74f0 call 6c8da8f7 WinExec call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 2868->3007 2899 6c8d757d-6c8d75c9 call 6c8e47a0 call 6c8d320c call 6c8d4714 call 6c8dc9e5 2869->2899 2900 6c8d7763-6c8d7784 call 6c8d4714 call 6c8d14f6 2869->2900 2946 6c8d75cf-6c8d7679 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 2899->2946 2947 6c8d767e-6c8d7713 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 2899->2947 2900->2554 2926 6c8d778a-6c8d787a call 6c8d30d6 * 2 call 6c8d4714 call 6c8d16a1 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8da8f7 WinExec Sleep call 6c8d320c call 6c8da495 call 6c8d2e9d call 6c8d47d5 2900->2926 2905->2777 2934 6c8d63fd-6c8d6414 call 6c8d46fe 2918->2934 2935 6c8d6447-6c8d668d call 6c8d30d6 call 6c8d4714 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8e47a0 call 6c8d320c call 6c8d15ca call 6c8d1584 * 6 call 6c8d15a7 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8da8f7 call 6c8e792e 2918->2935 2926->2541 3113 6c8d7880-6c8d7a5c call 6c8dc498 call 6c8ddada call 6c8d472f call 6c8dc498 call 6c8e1c33 call 6c8dc2be call 6c8d44b1 call 6c8daaa8 call 6c8d4a5d call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 2926->3113 2956 6c8d6438-6c8d6445 2934->2956 2957 6c8d6416-6c8d6433 call 6c8d46fe call 6c8d4a44 2934->2957 3245 6c8d677f-6c8d6799 call 6c8d1516 2935->3245 3246 6c8d6693-6c8d677a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 2935->3246 3081 6c8d7718-6c8d775e call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 2946->3081 2947->3081 2956->2918 2957->2956 3146 6c8d74f5-6c8d7551 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4a73 call 6c8d4149 * 2 3006->3146 3007->3146 3039 6c8d6346-6c8d635c call 6c8d4149 * 2 3032->3039 3040 6c8d6221-6c8d6228 3032->3040 3039->2554 3048 6c8d622a-6c8d629b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 3040->3048 3049 6c8d62a5-6c8d6341 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 3040->3049 3048->3039 3049->3032 3081->2554 3113->2503 3146->2554 3254 6c8d679f-6c8d67b3 3245->3254 3255 6c8d727b-6c8d72b8 call 6c8d4149 * 6 3245->3255 3246->3255 3258 6c8d67b5-6c8d67bb 3254->3258 3259 6c8d67c1-6c8d6834 call 6c8e47a0 call 6c8e1c33 * 2 3254->3259 3255->2855 3258->3259 3284 6c8d683b-6c8d683e 3259->3284 3287 6c8d6afd-6c8d6d2a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8ed4f0 call 6c8d320c call 6c8d4a0a call 6c8d4149 call 6c8ddbbe call 6c8d14f6 3284->3287 3288 6c8d6844-6c8d6a0b call 6c8d320c call 6c8ddba9 call 6c8d15ca call 6c8d1584 * 4 call 6c8d15a7 call 6c8d156a call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae 3284->3288 3438 6c8d6d2c-6c8d6d44 call 6c8d1540 3287->3438 3439 6c8d6d50-6c8d6d6a call 6c8d1516 3287->3439 3411 6c8d6a1a-6c8d6a30 3288->3411 3413 6c8d6a5b-6c8d6a79 3411->3413 3414 6c8d6a32-6c8d6a59 3411->3414 3417 6c8d6a7b-6c8d6aa0 call 6c8d4149 * 2 3413->3417 3418 6c8d6aa4-6c8d6ab5 3413->3418 3414->3411 3417->3287 3421 6c8d6ab7-6c8d6ac1 3418->3421 3422 6c8d6ac3-6c8d6acf 3418->3422 3425 6c8d6ad5-6c8d6af8 call 6c8d4149 * 2 3421->3425 3422->3425 3425->3284 3438->3439 3444 6c8d6d46 3438->3444 3445 6c8d6ec7-6c8d6ee2 call 6c8da8f7 PathFileExistsA 3439->3445 3446 6c8d6d70-6c8d6d88 call 6c8d1540 3439->3446 3444->3439 3452 6c8d6f04-6c8d6f0b 3445->3452 3453 6c8d6ee4-6c8d6ef8 call 6c8da8f7 DeleteFileA 3445->3453 3446->3445 3451 6c8d6d8e-6c8d6ec2 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 3446->3451 3543 6c8d722a-6c8d7276 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 * 2 3451->3543 3456 6c8d717e-6c8d7225 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3452->3456 3457 6c8d6f11-6c8d6f8e call 6c8da8f7 CreateFileA WriteFile CloseHandle call 6c8d44b1 call 6c8da8f7 PathFileExistsA 3452->3457 3453->3452 3465 6c8d6efa 3453->3465 3456->3543 3478 6c8d6f94-6c8d702e call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3457->3478 3479 6c8d7033-6c8d703a 3457->3479 3465->3452 3572 6c8d7179 3478->3572 3484 6c8d70df-6c8d7174 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3479->3484 3485 6c8d7040-6c8d70da call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3479->3485 3484->3572 3485->3572 3543->3255 3572->3543
                        APIs
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • _strcat.LIBCMT ref: 6C8D7ABD
                        • _strcat.LIBCMT ref: 6C8D7B2D
                        • _strncpy.LIBCMT ref: 6C8D7B5F
                        • Sleep.KERNEL32(00003A98,?,?,?,?,?,?,6C9042B6,6C9042A7,0000000C,0000000C,?,?,6C934458), ref: 6C8D7C23
                        • Sleep.KERNEL32(?,6C9042B6,6C9042A7,0000000C,0000000C,?,?,6C934458), ref: 6C8D7C31
                        • RpcStringFreeA.RPCRT4(?), ref: 6C8D7CDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Sleep_strcat$CreateFileFreeString_strncpy
                        • String ID: d
                        • API String ID: 2099396881-2564639436
                        • Opcode ID: 74a8efbd481e36517c7b804c19a520793e4418e79ea70e317d1c4bc0eb0c5a55
                        • Instruction ID: cab01d362a9e7ce676c5be67d5187cae1e70aca3407062ff9fa2bc38db0af25f
                        • Opcode Fuzzy Hash: 74a8efbd481e36517c7b804c19a520793e4418e79ea70e317d1c4bc0eb0c5a55
                        • Instruction Fuzzy Hash: A3817870924169CADF74DB28CE91EEDB375AFA0208F5209F9918962990DFB067CDDF40
                        Function 6C8D62A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176sleepfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3588 6c8d62a0 3589 6c8d6341 3588->3589 3590 6c8d6218-6c8d621b 3589->3590 3591 6c8d6346-6c8d635c call 6c8d4149 * 2 3590->3591 3592 6c8d6221-6c8d6228 3590->3592 3606 6c8d7c1e-6c8d7c29 Sleep 3591->3606 3594 6c8d622a-6c8d629b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 3592->3594 3595 6c8d62a5-6c8d633b call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 3592->3595 3594->3591 3595->3589 3608 6c8d7c37-6c8d7ced call 6c8d4149 * 2 call 6c8d4218 * 2 call 6c8d4149 * 2 RpcStringFreeA 3606->3608 3640 6c8d7cef-6c8d7cf5 call 6c8e6ee3 3608->3640 3641 6c8d7cfa-6c8d7d01 3608->3641 3640->3641 3643 6c8d7d0e 3641->3643 3644 6c8d7d03-6c8d7d09 call 6c8e6ee3 3641->3644 3647 6c8d5867-6c8d58bc call 6c8d15ca call 6c8da8f7 CreateFileA call 6c8d4149 3643->3647 3648 6c8d7d13-6c8d7e68 call 6c8d4149 * 31 3643->3648 3644->3643 3662 6c8d5a41-6c8d5e00 RpcStringBindingComposeA RpcBindingFromStringBindingA call 6c8d44b1 * 2 call 6c8d15ca call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8e47a0 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d326b call 6c8d30d6 call 6c8d7fae call 6c8d320c call 6c8db564 call 6c8da89f call 6c8d2881 call 6c8da495 call 6c8d3862 call 6c8da495 call 6c8d3862 call 6c8d320c * 2 call 6c8dba9b 3647->3662 3663 6c8d58c2-6c8d58c9 3647->3663 3836 6c8d7e73-6c8d7e8c call 6c8e1e3e 3648->3836 3837 6c8d7e6e call 6c8d4149 3648->3837 3819 6c8d5e06-6c8d5e1d call 6c8d46fe 3662->3819 3820 6c8d5fc3-6c8d5fd0 call 6c8dc89e 3662->3820 3663->3662 3666 6c8d58cf-6c8d5a3c call 6c8d4149 * 32 3663->3666 3666->3836 3831 6c8d5eb0-6c8d5ebd call 6c8dba9b 3819->3831 3832 6c8d5e23-6c8d5eab call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 call 6c8d46fe call 6c8d163c call 6c8d4481 call 6c8d4149 3819->3832 3833 6c8d7c2b-6c8d7c31 Sleep 3820->3833 3834 6c8d5fd6-6c8d5ff7 call 6c8d4714 call 6c8d14f6 3820->3834 3848 6c8d5fbe 3831->3848 3849 6c8d5ec3-6c8d5fb3 call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8db709 call 6c8db731 call 6c8dcafb call 6c8dc14f call 6c8d44b1 * 2 call 6c8d4149 3831->3849 3832->3848 3833->3608 3856 6c8d5ffd-6c8d60ae call 6c8d30d6 call 6c8da8f7 call 6c8e8f90 call 6c8da8f7 CreateFileA call 6c8d4714 call 6c8da8f7 WriteFile CloseHandle call 6c8d4714 call 6c8da8f7 call 6c8ed4f0 call 6c8d4149 3834->3856 3857 6c8d60b3-6c8d60d4 call 6c8d4714 call 6c8d14f6 3834->3857 3837->3836 3849->3848 3976 6c8d5fb9 call 6c8d4149 3849->3976 3856->3606 3884 6c8d60da-6c8d6211 call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 3857->3884 3885 6c8d6361-6c8d6382 call 6c8d4714 call 6c8d14f6 3857->3885 3884->3590 3909 6c8d6388-6c8d6396 call 6c8dc89e 3885->3909 3910 6c8d72c2-6c8d72e3 call 6c8d4714 call 6c8d14f6 3885->3910 3926 6c8d72bd 3909->3926 3927 6c8d639c-6c8d63de call 6c8d4714 call 6c8d30d6 call 6c8d4714 call 6c8d30d6 call 6c8d320c 3909->3927 3939 6c8d72e9-6c8d73a2 call 6c8e47a0 call 6c8d320c call 6c8d30d6 call 6c8d4a5d call 6c8d4714 call 6c8d4a2e call 6c8d4a5d call 6c8da495 call 6c8d4714 call 6c8d2e9d call 6c8d4676 3910->3939 3940 6c8d7556-6c8d7577 call 6c8d4714 call 6c8d14f6 3910->3940 3926->3606 3989 6c8d63e5-6c8d63fb call 6c8d46fe 3927->3989 4077 6c8d73a8-6c8d7442 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3939->4077 4078 6c8d7447-6c8d74f0 call 6c8da8f7 WinExec call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3939->4078 3970 6c8d757d-6c8d75c9 call 6c8e47a0 call 6c8d320c call 6c8d4714 call 6c8dc9e5 3940->3970 3971 6c8d7763-6c8d7784 call 6c8d4714 call 6c8d14f6 3940->3971 4017 6c8d75cf-6c8d7679 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3970->4017 4018 6c8d767e-6c8d7713 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 3970->4018 3971->3606 3997 6c8d778a-6c8d787a call 6c8d30d6 * 2 call 6c8d4714 call 6c8d16a1 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 2 call 6c8da8f7 WinExec Sleep call 6c8d320c call 6c8da495 call 6c8d2e9d call 6c8d47d5 3971->3997 3976->3848 4005 6c8d63fd-6c8d6414 call 6c8d46fe 3989->4005 4006 6c8d6447-6c8d668d call 6c8d30d6 call 6c8d4714 call 6c8d170a call 6c8d4a2e call 6c8d4149 call 6c8e47a0 call 6c8d320c call 6c8d15ca call 6c8d1584 * 6 call 6c8d15a7 call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8da8f7 call 6c8e792e 3989->4006 4161 6c8d7880-6c8d7a5c call 6c8dc498 call 6c8ddada call 6c8d472f call 6c8dc498 call 6c8e1c33 call 6c8dc2be call 6c8d44b1 call 6c8daaa8 call 6c8d4a5d call 6c8e47a0 * 2 call 6c8d320c call 6c8d15ca call 6c8d1584 * 5 call 6c8d4a2e call 6c8d4149 * 6 call 6c8dba9b call 6c8d320c 3997->4161 4162 6c8d7bf2-6c8d7c19 call 6c8d4a73 call 6c8d4149 * 3 3997->4162 4027 6c8d6438-6c8d6445 4005->4027 4028 6c8d6416-6c8d6433 call 6c8d46fe call 6c8d4a44 4005->4028 4288 6c8d677f-6c8d6799 call 6c8d1516 4006->4288 4289 6c8d6693-6c8d677a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 4006->4289 4137 6c8d7718-6c8d775e call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 4017->4137 4018->4137 4027->3989 4028->4027 4189 6c8d74f5-6c8d7551 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4a73 call 6c8d4149 * 2 4077->4189 4078->4189 4137->3606 4323 6c8d7a63-6c8d7a66 4161->4323 4162->3606 4189->3606 4297 6c8d679f-6c8d67b3 4288->4297 4298 6c8d727b-6c8d72b8 call 6c8d4149 * 6 4288->4298 4289->4298 4301 6c8d67b5-6c8d67bb 4297->4301 4302 6c8d67c1-6c8d6834 call 6c8e47a0 call 6c8e1c33 * 2 4297->4302 4298->3926 4301->4302 4330 6c8d683b-6c8d683e 4302->4330 4328 6c8d7a6c-6c8d7a73 4323->4328 4329 6c8d7b8a-6c8d7bbb call 6c8da8f7 call 6c8e8f90 call 6c8e1c3c 4323->4329 4334 6c8d7ae9-6c8d7b85 call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8ed6d0 4328->4334 4335 6c8d7a75-6c8d7adf call 6c8dcafb call 6c8d4481 call 6c8d4149 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 4328->4335 4370 6c8d7bbd-6c8d7bc4 4329->4370 4371 6c8d7bc6-6c8d7bd6 4329->4371 4337 6c8d6afd-6c8d6d2a call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae call 6c8d44b1 call 6c8ed4f0 call 6c8d320c call 6c8d4a0a call 6c8d4149 call 6c8ddbbe call 6c8d14f6 4330->4337 4338 6c8d6844-6c8d6a0b call 6c8d320c call 6c8ddba9 call 6c8d15ca call 6c8d1584 * 4 call 6c8d15a7 call 6c8d156a call 6c8d1584 call 6c8d4a2e call 6c8d4149 * 9 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d320c call 6c8d30d6 call 6c8d7fae 4330->4338 4334->4323 4335->4329 4525 6c8d6d2c-6c8d6d44 call 6c8d1540 4337->4525 4526 6c8d6d50-6c8d6d6a call 6c8d1516 4337->4526 4498 6c8d6a1a-6c8d6a30 4338->4498 4377 6c8d7bdc-6c8d7bed call 6c8d4149 * 2 4370->4377 4371->4377 4377->4162 4500 6c8d6a5b-6c8d6a79 4498->4500 4501 6c8d6a32-6c8d6a59 4498->4501 4504 6c8d6a7b-6c8d6aa0 call 6c8d4149 * 2 4500->4504 4505 6c8d6aa4-6c8d6ab5 4500->4505 4501->4498 4504->4337 4508 6c8d6ab7-6c8d6ac1 4505->4508 4509 6c8d6ac3-6c8d6acf 4505->4509 4512 6c8d6ad5-6c8d6af8 call 6c8d4149 * 2 4508->4512 4509->4512 4512->4330 4525->4526 4531 6c8d6d46 4525->4531 4532 6c8d6ec7-6c8d6ee2 call 6c8da8f7 PathFileExistsA 4526->4532 4533 6c8d6d70-6c8d6d88 call 6c8d1540 4526->4533 4531->4526 4539 6c8d6f04-6c8d6f0b 4532->4539 4540 6c8d6ee4-6c8d6ef8 call 6c8da8f7 DeleteFileA 4532->4540 4533->4532 4538 6c8d6d8e-6c8d6ec2 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 7 call 6c8d4a2e call 6c8d4149 * 8 4533->4538 4630 6c8d722a-6c8d7276 call 6c8da8f7 call 6c8ed4f0 call 6c8d80d7 call 6c8d4149 * 2 4538->4630 4543 6c8d717e-6c8d7225 call 6c8d44b1 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4539->4543 4544 6c8d6f11-6c8d6f8e call 6c8da8f7 CreateFileA WriteFile CloseHandle call 6c8d44b1 call 6c8da8f7 PathFileExistsA 4539->4544 4540->4539 4552 6c8d6efa 4540->4552 4543->4630 4565 6c8d6f94-6c8d702e call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4544->4565 4566 6c8d7033-6c8d703a 4544->4566 4552->4539 4659 6c8d7179 4565->4659 4571 6c8d70df-6c8d7174 call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4566->4571 4572 6c8d7040-6c8d70da call 6c8d15ca call 6c8d1584 * 3 call 6c8d4a2e call 6c8d4149 * 4 4566->4572 4571->4659 4572->4659 4630->4298 4659->4630
                        APIs
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • _strcat.LIBCMT ref: 6C8D6279
                        • _strcat.LIBCMT ref: 6C8D62E9
                        • _strncpy.LIBCMT ref: 6C8D631B
                        • Sleep.KERNEL32(00003A98,?,?,?,?,?,?,6C9042B6,6C9042A7,0000000C,0000000C,?,?,6C934458), ref: 6C8D7C23
                        • RpcStringFreeA.RPCRT4(?), ref: 6C8D7CDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _strcat$CreateFileFreeSleepString_strncpy
                        • String ID: d
                        • API String ID: 437704486-2564639436
                        • Opcode ID: 0ddffeb2ce710e8e32f4c3328b5745409d06f914371a12b2d5371e3db3fa5005
                        • Instruction ID: 990b239921dfbda015b4a2bdd6089ebfd2e7150170c786d2a35196f60d720569
                        • Opcode Fuzzy Hash: 0ddffeb2ce710e8e32f4c3328b5745409d06f914371a12b2d5371e3db3fa5005
                        • Instruction Fuzzy Hash: 06719870864159CADF74DB68CE91EEDB375AFA0208F4209E9918A62990DFB037CDDF41
                        Function 6C8E20A8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4675 6c8e20a8-6c8e20b9 call 6c8e2890 4678 6c8e20ca-6c8e20d1 4675->4678 4679 6c8e20bb-6c8e20c1 4675->4679 4681 6c8e20dd-6c8e20f1 dllmain_raw 4678->4681 4682 6c8e20d3-6c8e20d6 4678->4682 4679->4678 4680 6c8e20c3-6c8e20c5 4679->4680 4683 6c8e21a3-6c8e21b2 4680->4683 4685 6c8e219a-6c8e21a1 4681->4685 4686 6c8e20f7-6c8e2108 dllmain_crt_dispatch 4681->4686 4682->4681 4684 6c8e20d8-6c8e20db 4682->4684 4687 6c8e210e-6c8e2113 call 6c8de49b 4684->4687 4685->4683 4686->4685 4686->4687 4689 6c8e2118-6c8e2120 4687->4689 4690 6c8e2149-6c8e214b 4689->4690 4691 6c8e2122-6c8e2124 4689->4691 4692 6c8e214d-6c8e2150 4690->4692 4693 6c8e2152-6c8e2163 dllmain_crt_dispatch 4690->4693 4691->4690 4694 6c8e2126-6c8e2144 call 6c8de49b call 6c8e1ff8 dllmain_raw 4691->4694 4692->4685 4692->4693 4693->4685 4695 6c8e2165-6c8e2197 dllmain_raw 4693->4695 4694->4690 4695->4685
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: dllmain_raw$dllmain_crt_dispatch
                        • String ID:
                        • API String ID: 3136044242-0
                        • Opcode ID: 6f4113a9eb224bba814715fea13bb47d3d544fd429beb550260c0396608c9e7a
                        • Instruction ID: e9de1c48a1f7ea62cf7922c6c43ca56a1492c3293e7a2e5416474546ed31aed8
                        • Opcode Fuzzy Hash: 6f4113a9eb224bba814715fea13bb47d3d544fd429beb550260c0396608c9e7a
                        • Instruction Fuzzy Hash: 17212C71D0161AEBCB314F59CE48AAF3A79FB8B798F004925F91867B50C3389E058BD0
                        Function 6C8E05F9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83registryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4701 6c8e05f9-6c8e0619 4702 6c8e063d-6c8e0658 RegQueryValueExW 4701->4702 4703 6c8e061b-6c8e0634 RegOpenKeyExW 4701->4703 4705 6c8e065a-6c8e065e 4702->4705 4706 6c8e0666-6c8e0679 call 6c8ed85c 4702->4706 4703->4702 4704 6c8e0636-6c8e0638 4703->4704 4707 6c8e06dc-6c8e06e7 call 6c8e1e3e 4704->4707 4708 6c8e0680-6c8e0684 4705->4708 4709 6c8e0660-6c8e0664 4705->4709 4706->4708 4713 6c8e068f-6c8e069e 4708->4713 4714 6c8e0686-6c8e0689 RegCloseKey 4708->4714 4709->4706 4709->4708 4715 6c8e06a9-6c8e06ac 4713->4715 4716 6c8e06a0-6c8e06a7 4713->4716 4714->4713 4718 6c8e06af-6c8e06b7 4715->4718 4716->4718 4719 6c8e06bb-6c8e06bf 4718->4719 4720 6c8e06d9 4719->4720 4721 6c8e06c1-6c8e06ce 4719->4721 4720->4707 4721->4720 4722 6c8e06d0-6c8e06d7 4721->4722 4722->4719
                        APIs
                        • RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000101,?,?,00000000), ref: 6C8E062C
                        • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000), ref: 6C8E0650
                        • RegCloseKey.KERNELBASE(00000006), ref: 6C8E0689
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: N/A
                        • API String ID: 3677997916-2525114547
                        • Opcode ID: 18d8f29ad51da1591e5f4898b785a875fe089768eead5829cca283be17493595
                        • Instruction ID: cb5949d71f6e5449538a8392335ee3c82ea18182f36ce38c71cef2eed1057aa9
                        • Opcode Fuzzy Hash: 18d8f29ad51da1591e5f4898b785a875fe089768eead5829cca283be17493595
                        • Instruction Fuzzy Hash: AB310570A0424EEFDF10DF99D940BAE7BB0BF49304F208829E815A66A0DB74DA54DF60
                        Function 6C8F711E Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6C8F7563,00000000,00000000,00000000), ref: 6C8F7422
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: InformationTimeZone
                        • String ID: Eastern Standard Time$Eastern Summer Time
                        • API String ID: 565725191-239921721
                        • Opcode ID: abe699cafe15fe5e6993a97440c01dc0d1f784161c37fb9153ecc9b7945664fb
                        • Instruction ID: fe7ce845a31338db922db90a63b816319a5cc5d7e36d2ba1631f3d503c815438
                        • Opcode Fuzzy Hash: abe699cafe15fe5e6993a97440c01dc0d1f784161c37fb9153ecc9b7945664fb
                        • Instruction Fuzzy Hash: 2AC18072A00125ABEB30AF68CE01AEE7779EF45798F644935E824D7780E7709E46C790
                        Function 6C8F73B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F26DF: HeapFree.KERNEL32(00000000,00000000,?,6C8FC163,?,00000000,?,?,6C8FC404,?,00000007,?,?,6C8FB896,?,?), ref: 6C8F26F5
                          • Part of subcall function 6C8F26DF: GetLastError.KERNEL32(?,?,6C8FC163,?,00000000,?,?,6C8FC404,?,00000007,?,?,6C8FB896,?,?), ref: 6C8F2700
                        • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6C8F7563,00000000,00000000,00000000), ref: 6C8F7422
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorFreeHeapInformationLastTimeZone
                        • String ID: Eastern Standard Time$Eastern Summer Time
                        • API String ID: 3335090040-239921721
                        • Opcode ID: 3ec4e08a8a8fcfafcbb5e9d37910b355c6a8b63227a6db8ecb68052a8f4ca216
                        • Instruction ID: ed72e744227235909ece651e0b04b78dc7b137eced7242f6cf476cd5d8b955b9
                        • Opcode Fuzzy Hash: 3ec4e08a8a8fcfafcbb5e9d37910b355c6a8b63227a6db8ecb68052a8f4ca216
                        • Instruction Fuzzy Hash: 9541D971900525ABDB30AF6DCE059CE7F78EF46798B204A75E428D7A90EB709D06CB90
                        Function 6C8D7C93 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D589E
                        • RpcStringFreeA.RPCRT4(?), ref: 6C8D7CDA
                        Strings
                        • Runtime reported exception , xrefs: 6C8D7CAD
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CreateFileFreeString
                        • String ID: Runtime reported exception
                        • API String ID: 201379981-1260309434
                        • Opcode ID: 021a616e3411806567aaf6cadc33d07ad7f6781a8c2646d549db630f9d53c8d7
                        • Instruction ID: 8bfeabe740e8de3a2c5e3fef4bd909eee90ff7ac8682709177c09cf7314fc884
                        • Opcode Fuzzy Hash: 021a616e3411806567aaf6cadc33d07ad7f6781a8c2646d549db630f9d53c8d7
                        • Instruction Fuzzy Hash: 20515730924169CADF74DB28CD91EEDB371AFA4218F5109E9918E62A90DFB076CDDF40
                        Function 2DE171BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • _setmbcp.MSVCR90 ref: 2DE171C3
                          • Part of subcall function 2DE15E3D: GetVersionExA.KERNEL32(?), ref: 2DE15E6A
                          • Part of subcall function 2DE11766: __EH_prolog3.LIBCMT ref: 2DE1176D
                          • Part of subcall function 2DE11766: GetClassInfoW.USER32(?,?,?), ref: 2DE1177F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassH_prolog3InfoVersion_setmbcp
                        • String ID: AfxWndA$AfxWndW
                        • API String ID: 329514372-64854810
                        • Opcode ID: 6a282e33f2a40a4e87bd68a475a5dfcb41cda586579e782e554a13593cf369ce
                        • Instruction ID: 997b85a27c01012eea14ebacc4fe09b4552363ffe2b16b2a11f63688770db368
                        • Opcode Fuzzy Hash: 6a282e33f2a40a4e87bd68a475a5dfcb41cda586579e782e554a13593cf369ce
                        • Instruction Fuzzy Hash: 132128B2A04249DFDB04DFA9C441A9EBBF4FB48750F10812AE515F7340EB35D942CB65
                        Function 2DE03E45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 2DE03E58
                        • GetLastError.KERNEL32 ref: 2DE03E8E
                        Strings
                        • IsolationAware function called after IsolationAwareCleanup, xrefs: 2DE03E53
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: DebugErrorLastOutputString
                        • String ID: IsolationAware function called after IsolationAwareCleanup
                        • API String ID: 4132100945-2690750368
                        • Opcode ID: 4f7ed09b74f1d6dacb50aa306d3edb595997ddf75352d858c255c980011f5f0d
                        • Instruction ID: 527cd5ec6fc51f33c58d2766b730fd58c3500574e357dd278dc4eea3d0efc616
                        • Opcode Fuzzy Hash: 4f7ed09b74f1d6dacb50aa306d3edb595997ddf75352d858c255c980011f5f0d
                        • Instruction Fuzzy Hash: FFF09032A083248B8715AFA5890077EB6E5D705F977140226F7A6F0600CF75C852DBE5
                        Function 6C8E056B Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(00000004,00000000,00000000,00000101,00000004), ref: 6C8E05A0
                        • RegQueryValueExW.KERNELBASE(00000004,00000001,00000000,00000000,00000004,00000004), ref: 6C8E05C1
                        • RegCloseKey.ADVAPI32(00000004), ref: 6C8E05E4
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID:
                        • API String ID: 3677997916-0
                        • Opcode ID: 8550ecd9173f44a70354ad687c1c09e1f6efc0b83701180902316e09f9642a2e
                        • Instruction ID: e52b0e7b2ba543c2c155afb70677102ffb8a741499f1d7e15b490fa2f582bcac
                        • Opcode Fuzzy Hash: 8550ecd9173f44a70354ad687c1c09e1f6efc0b83701180902316e09f9642a2e
                        • Instruction Fuzzy Hash: 3F11237060420DEFEF11CF60C905BEE7BB4BB0A309F208829E915AA190DBB4DA94DF10
                        Function 6C8F5B29 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DeleteFileW.KERNELBASE(6C8E8FE3,?,6C8E8FE3,?,?,?,2463616368652E646174), ref: 6C8F5B31
                        • GetLastError.KERNEL32(?,6C8E8FE3,?,?,?,2463616368652E646174), ref: 6C8F5B3B
                        • __dosmaperr.LIBCMT ref: 6C8F5B42
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: DeleteErrorFileLast__dosmaperr
                        • String ID:
                        • API String ID: 1545401867-0
                        • Opcode ID: 582112237b673bd98227b13081c0256f4944977c3062010f2a47ba6ada68cae6
                        • Instruction ID: b31711ba2f4e51905ac3e6c338d0632aab457fb7ec8f4fc8db7370024f6e0b18
                        • Opcode Fuzzy Hash: 582112237b673bd98227b13081c0256f4944977c3062010f2a47ba6ada68cae6
                        • Instruction Fuzzy Hash: CDD0123230C20CBB9F503FF6EC0884A7B7E9BA23787294A29F52CC5590EF31C4959951
                        Function 2DE19C6E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4COMMON
                        Download Yara Rule
                        APIs
                        • GlobalAddAtomA.KERNEL32(AfxOldWndProc), ref: 2DE19C73
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AtomGlobal
                        • String ID: AfxOldWndProc
                        • API String ID: 2189174293-2134796454
                        • Opcode ID: d4217dee72e4177300e25165df6d35abc6edc369c666346bf9ee81b424c5cd5f
                        • Instruction ID: 8490e39fbf53fde2146f8bf48e1fdd2717d6ea3805bb5707b58b8df0217edc5d
                        • Opcode Fuzzy Hash: d4217dee72e4177300e25165df6d35abc6edc369c666346bf9ee81b424c5cd5f
                        • Instruction Fuzzy Hash: 1CA022AB0020008383008FF0C0C8BE032F0AF80A03B2200C38033F03388E280080C38F
                        Function 6C8E0479 Relevance: 3.1, APIs: 2, Instructions: 78timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetDateFormatW.KERNELBASE(00000800,00000000,?,00000000,6C8DF0CA,000003FE,?,?,?,6C8DF0CA,?,00000000,?,00000000,?,00000000), ref: 6C8E0501
                        • GetTimeFormatW.KERNEL32(00000800,00000000,?,00000000,00000000,00000000), ref: 6C8E0559
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Format$DateTime
                        • String ID:
                        • API String ID: 2545834208-0
                        • Opcode ID: f790838552091bdce9506e4161047a615fa6f0e2860cf53d55d2d95df32ece6e
                        • Instruction ID: 8ce486bdf476db4b2df769246b6438726bb0476480b6d625f5d9c18658a18c9e
                        • Opcode Fuzzy Hash: f790838552091bdce9506e4161047a615fa6f0e2860cf53d55d2d95df32ece6e
                        • Instruction Fuzzy Hash: 1A31A478E0024A9FDB00DFA8C981BAEB7B4EF18704F10445AE915EB750E734AA45CBA5
                        Function 2DE116D6 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE116DD
                        • GetClassInfoA.USER32(?,?,?), ref: 2DE116EF
                          • Part of subcall function 2DE10D75: RegisterClassA.USER32(?), ref: 2DE10DA4
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Class$H_prolog3InfoRegister
                        • String ID:
                        • API String ID: 1538853570-0
                        • Opcode ID: c7c22eb8f7b14e36dca255616a0ec666563476ed3652da8b2b9a615a1859b1bc
                        • Instruction ID: 41f7c54c93f7348133383d2809edf97374919f27fa2577515922fd41d20de380
                        • Opcode Fuzzy Hash: c7c22eb8f7b14e36dca255616a0ec666563476ed3652da8b2b9a615a1859b1bc
                        • Instruction Fuzzy Hash: 5A01B171704254BACB026A608C81F9F7BADEF26745F118514F659B6190CE34DE0187B6
                        Function 2DE05027 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: lstrcmpi
                        • String ID: 0-
                        • API String ID: 1586166983-1114002220
                        • Opcode ID: a787ed22da077df86fa8b5d37a2b146f29c00f357b760bf3763710e4c0c6d434
                        • Instruction ID: 8a9d2ef84c5730c7ed6c033890644b0a333031032d0f9abf4a54e8a4bddb1987
                        • Opcode Fuzzy Hash: a787ed22da077df86fa8b5d37a2b146f29c00f357b760bf3763710e4c0c6d434
                        • Instruction Fuzzy Hash: D2E0ED31214115AFD7529E65CC40A667BE8FF45B95340C82AF859F6114EE72D910DBE0
                        Function 2DE15FCC Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        • KiUserCallbackDispatcher.NTDLL(00000002), ref: 2DE15FDE
                        • GetSystemMetrics.USER32(00000003), ref: 2DE15FE8
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CallbackDispatcherMetricsSystemUser
                        • String ID:
                        • API String ID: 365337688-0
                        • Opcode ID: 9e4da9da6fd3846626be3a876d2cad014e43beda641b95538cee8958df5b12cc
                        • Instruction ID: 9044a5b9f88155e5f7a41718bf5436ce1e8e80d6e2b5ab320940da893f2200bf
                        • Opcode Fuzzy Hash: 9e4da9da6fd3846626be3a876d2cad014e43beda641b95538cee8958df5b12cc
                        • Instruction Fuzzy Hash: 58D05E338092208ED70C9B9498087A837F4F308B10F04400BF246A6380C7BC8841CB98
                        Function 6C8F2719 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6C8E1C0F,00000000,?,6C8D447E,00000000,?,6C8D179D,00000000,?,6C8DA4C6,00000000,?), ref: 6C8F274B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 497472592a46656b4dd3b86fa06673237a1eb467f7419ac2c1bf5eb72847fdc5
                        • Instruction ID: 7c3010103d445a209ef135f61c1330da23ee34cc41fada962f478cad73faaa93
                        • Opcode Fuzzy Hash: 497472592a46656b4dd3b86fa06673237a1eb467f7419ac2c1bf5eb72847fdc5
                        • Instruction Fuzzy Hash: B5E02B312052656BEB312A6E8F0978B7A5C9F537E4F110931DD34D2DC0DB18D41342E1
                        Function 2DE10D75 Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegisterClassA.USER32(?), ref: 2DE10DA4
                          • Part of subcall function 2DE03E45: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 2DE03E58
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassDebugOutputRegisterString
                        • String ID:
                        • API String ID: 3599523695-0
                        • Opcode ID: f7ecc1f92a0668298174b18dbe70631bd3bfc5fdc31549c9e8484fc3f079f4da
                        • Instruction ID: 777efd4dfe5afe9d8f14c631cd8cb51412d98a8228a122e5ade9ae0b62ae19ab
                        • Opcode Fuzzy Hash: f7ecc1f92a0668298174b18dbe70631bd3bfc5fdc31549c9e8484fc3f079f4da
                        • Instruction Fuzzy Hash: 4BF03071D05209DACB40EFA589006FDBAF5FF54700F614116E565F6190CF34CA42DB24
                        Function 2DE181E3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 3c9221a8330db71b842a43b363df4827e11af7726f289f1a230b4738da640df6
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 3c9221a8330db71b842a43b363df4827e11af7726f289f1a230b4738da640df6
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181F0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 374f67c20174960b52ec27608b5ab030bc443be68ee213b82e3feaf5970ff3fc
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 374f67c20174960b52ec27608b5ab030bc443be68ee213b82e3feaf5970ff3fc
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181FD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: fd43a3fdb2278bbe56b9ac39c2a82664b83aad6ef90ab75cbd57617ea47e249d
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: fd43a3fdb2278bbe56b9ac39c2a82664b83aad6ef90ab75cbd57617ea47e249d
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181C9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 46b048f0821808117381df587b5b8618c0fad5ea4ea476e1da7cef26fa50cee7
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 46b048f0821808117381df587b5b8618c0fad5ea4ea476e1da7cef26fa50cee7
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181D6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 5bc63d5c6e5a8a3ef60220b49febf800ab0fc058a1edb16725ab86c0f77e6273
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 5bc63d5c6e5a8a3ef60220b49febf800ab0fc058a1edb16725ab86c0f77e6273
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE181BC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 063e76ee425b43f93cf38798988bf6c04c12ff4ad0aec89d06dcffa3ae7c9730
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 063e76ee425b43f93cf38798988bf6c04c12ff4ad0aec89d06dcffa3ae7c9730
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE1819E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 8a923b9224360a3a599a032f7f8a87c35929414743092b0e913b1d5e3866dd41
                        • Instruction ID: cebcb2f984bb943f2752833b3bbbad2641584a406617695772ac7b2ee9e42ff2
                        • Opcode Fuzzy Hash: 8a923b9224360a3a599a032f7f8a87c35929414743092b0e913b1d5e3866dd41
                        • Instruction Fuzzy Hash: E8A011A23A8002BC300A8208AC88CBA830CC2C0A20320C30AF020F0000AC00EC080030
                        Function 2DE18244 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 684399203c9170340643cc195a1b5a13f624fcf938c97921d1119d1a4a7f695a
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 684399203c9170340643cc195a1b5a13f624fcf938c97921d1119d1a4a7f695a
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18254 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: f482adabd21e7af47428a80a1bf8fbbba5d94189440d9136d560cb4316e510b9
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: f482adabd21e7af47428a80a1bf8fbbba5d94189440d9136d560cb4316e510b9
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18224 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 0e10e93c898f85eb97ec8577bce6e67cc111cf1ce03047cd5587b9a48a1f9c0b
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 0e10e93c898f85eb97ec8577bce6e67cc111cf1ce03047cd5587b9a48a1f9c0b
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18234 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 91ea8d7b3527954384456e8f02118ab07569016c625addee9a318f1b907ff370
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 91ea8d7b3527954384456e8f02118ab07569016c625addee9a318f1b907ff370
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE1820A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 80fe5ea136582966b2d23c62aa090d18069f494a45ee588e0e9344bac8a7ba4b
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 80fe5ea136582966b2d23c62aa090d18069f494a45ee588e0e9344bac8a7ba4b
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE18217 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • ___delayLoadHelper2@8.DELAYIMP ref: 2DE181A8
                          • Part of subcall function 2DE18A22: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 2DE18A9B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionHelper2@8LoadRaise___delay
                        • String ID:
                        • API String ID: 123106877-0
                        • Opcode ID: 5981c30ec32350a43957859c9a7d0fd5bab64f05ceb70fa934ec85ea2d86ad43
                        • Instruction ID: efc6d43cba1d3b2f555f985efa26ea3c6e1e122e654d18d09dcf306df2d5a65f
                        • Opcode Fuzzy Hash: 5981c30ec32350a43957859c9a7d0fd5bab64f05ceb70fa934ec85ea2d86ad43
                        • Instruction Fuzzy Hash: C5A011823AC002FC300A8208AC88CBA830CC2C0AA0320CB0AE020B0000AC00CC080030
                        Function 2DE178B5 Relevance: 1.5, APIs: 1, Instructions: 2COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectTimeVirtual$AddressCountCounterFileHandleHeapModulePerformanceProcQuerySystemThreadTick
                        • String ID:
                        • API String ID: 2966426798-0
                        • Opcode ID: b1d9e3360e75d73aef1975e7a51aa155834824d47b87844c87d294b04e291f44
                        • Instruction ID: e78b5431c3df2289def5fc0514eb564146f851374970ea3c46f2ab85c2feb5c9
                        • Opcode Fuzzy Hash: b1d9e3360e75d73aef1975e7a51aa155834824d47b87844c87d294b04e291f44
                        • Instruction Fuzzy Hash:

                        Non-executed Functions

                        Function 2DE07BC9 Relevance: 21.3, APIs: 14, Instructions: 274windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE07BD0
                        • IsIconic.USER32(00000001), ref: 2DE07C45
                        • SetForegroundWindow.USER32(00000001), ref: 2DE07C69
                        • LoadMenuW.USER32(?,00000048), ref: 2DE07CA7
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000001), ref: 2DE07CDB
                        • SetWindowLongA.USER32(00000003,000000F4,0000E900), ref: 2DE07D64
                        • GetFocus.USER32 ref: 2DE07D6A
                        • SetFocus.USER32(00000003,00000000,?,?,00000000,?,?,00CF0000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 2DE07D83
                          • Part of subcall function 2DE12F6C: GetMessageA.USER32(2DE1E9A0,00000000,00000000,00000000), ref: 2DE12F79
                          • Part of subcall function 2DE12F6C: TranslateMessage.USER32(2DE1E9A0), ref: 2DE12F99
                          • Part of subcall function 2DE12F6C: DispatchMessageA.USER32(2DE1E9A0), ref: 2DE12FA0
                        • GetSystemMetrics.USER32(00000000), ref: 2DE07DAF
                        • GetSystemMetrics.USER32(00000001), ref: 2DE07DDF
                        • GetSystemMetrics.USER32(00000001), ref: 2DE07E15
                        • SetForegroundWindow.USER32(00000003), ref: 2DE07E48
                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 2DE07E7E
                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 2DE07ECD
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Message$MetricsSystemWindow$FocusForegroundPeek$ByteCharDispatchH_prolog3_catchIconicLoadLongMenuMultiTranslateWide
                        • String ID:
                        • API String ID: 2541888167-0
                        • Opcode ID: 290a08594d3c1373832ecd646cb7b35f3fae9b5f89bf84448277df58dea2848e
                        • Instruction ID: 62f3655488501c880ed43d426ecc0c1284c9343c02d18e12cd801800864164f7
                        • Opcode Fuzzy Hash: 290a08594d3c1373832ecd646cb7b35f3fae9b5f89bf84448277df58dea2848e
                        • Instruction Fuzzy Hash: 34A19E71A01119EBCF05EFA4C885AAE7BB5EF48756F118019F90ABB245CF74DE41CBA0
                        Function 6C8FCF41 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetACP.KERNEL32(?,?,?,?,?,?,6C8F0D22,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6C8FD002
                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6C8F0D22,?,?,?,00000055,?,-00000050,?,?), ref: 6C8FD02D
                        • _wcschr.LIBVCRUNTIME ref: 6C8FD0C1
                        • _wcschr.LIBVCRUNTIME ref: 6C8FD0CF
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6C8FD190
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                        • String ID: utf8
                        • API String ID: 4147378913-905460609
                        • Opcode ID: f25d2644a2116f46da9e3f5c971fe230a5ac3fb505c60491beee5c9367101c9e
                        • Instruction ID: 2b38e6b40aa3979c9678efbce03e91a5ae66100e7df6e7bca8fca3736114b0ad
                        • Opcode Fuzzy Hash: f25d2644a2116f46da9e3f5c971fe230a5ac3fb505c60491beee5c9367101c9e
                        • Instruction Fuzzy Hash: E7712F71604206AAE734AF39CE41BE6B3A8EF45388F104C3AE625D7A81F774D547C760
                        Function 2DE17592 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 2DE17E3C
                        • _crt_debugger_hook.MSVCR90(00000001), ref: 2DE17E49
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 2DE17E51
                        • UnhandledExceptionFilter.KERNEL32(2DE03308), ref: 2DE17E5C
                        • _crt_debugger_hook.MSVCR90(00000001), ref: 2DE17E6D
                        • GetCurrentProcess.KERNEL32(C0000409), ref: 2DE17E78
                        • TerminateProcess.KERNEL32(00000000), ref: 2DE17E7F
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                        • String ID:
                        • API String ID: 3369434319-0
                        • Opcode ID: 57dc467342b30da1e5f46a0a0a29976b29a7f0103eb706373591e4cd37f5fbd6
                        • Instruction ID: 0ed8bb1e5ad0440355285c97adff1f601f88bbca9fa52522f07f9a61804034bf
                        • Opcode Fuzzy Hash: 57dc467342b30da1e5f46a0a0a29976b29a7f0103eb706373591e4cd37f5fbd6
                        • Instruction Fuzzy Hash: D421DFB7902744AFC321DFA4D4897583BF4BB08B11F50901AE40AA7B50EB789981CF0D
                        Function 6C8FD6D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(?,2000000B,6C8FD9EE,00000002,00000000,?,?,?,6C8FD9EE,?,00000000), ref: 6C8FD769
                        • GetLocaleInfoW.KERNEL32(?,20001004,6C8FD9EE,00000002,00000000,?,?,?,6C8FD9EE,?,00000000), ref: 6C8FD792
                        • GetACP.KERNEL32(?,?,6C8FD9EE,?,00000000), ref: 6C8FD7A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: InfoLocale
                        • String ID: ACP$OCP
                        • API String ID: 2299586839-711371036
                        • Opcode ID: 8427f81026d0536a92782b880799bef533a4b414c83e27bfb0f1c5ded288f7bf
                        • Instruction ID: b4b84f9f22adb7cf97d06a1a91b9e5ace976bdf5778f696542764f6845f173e4
                        • Opcode Fuzzy Hash: 8427f81026d0536a92782b880799bef533a4b414c83e27bfb0f1c5ded288f7bf
                        • Instruction Fuzzy Hash: 1721A722709104D6D7349F15CB01B8772B6EB43BD8B668E2AEA29DF900F731DD42C750
                        Function 6C8FD8A5 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F02DC: GetLastError.KERNEL32(?,00000008,6C8F9E39,00000000,6C8E68B0), ref: 6C8F02E0
                          • Part of subcall function 6C8F02DC: SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C8F0382
                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6C8FD9B1
                        • IsValidCodePage.KERNEL32(00000000), ref: 6C8FD9FA
                        • IsValidLocale.KERNEL32(?,00000001), ref: 6C8FDA09
                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C8FDA51
                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C8FDA70
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                        • String ID:
                        • API String ID: 415426439-0
                        • Opcode ID: 708086c4e929f383090b5a1528856f07b7b57a0338e027e95d1c5452b1a648d9
                        • Instruction ID: c6f67a2f4b8f4d88825ebd16f7911bd8815e6fb4e1cda28e5e091fb8be41164e
                        • Opcode Fuzzy Hash: 708086c4e929f383090b5a1528856f07b7b57a0338e027e95d1c5452b1a648d9
                        • Instruction Fuzzy Hash: FC516571B012059FEF20DFA9CD40BAE77F8AF45744F21482AAA34E7640D770E9468B61
                        Function 6C8F5CB2 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: 5a2df6829468a3d1ba630fb8cbc36a6c6803c4e92b5340e5fff4db1baf62b945
                        • Instruction ID: 64f91ab19adffea2910eab6a9a835cc02ef0ef7f7d0e31aa798ed129f3759cb2
                        • Opcode Fuzzy Hash: 5a2df6829468a3d1ba630fb8cbc36a6c6803c4e92b5340e5fff4db1baf62b945
                        • Instruction Fuzzy Hash: 68B16C31A053459FEB218F68C990BEEBBB5EF55384F14C5AAD424ABB41D334D907CBA0
                        Function 6C8E270B Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6C8E2717
                        • IsDebuggerPresent.KERNEL32 ref: 6C8E27E3
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C8E2803
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 6C8E280D
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: 638b0b6778bf47af338e41ad40fcffda6bb9859e1233b36c375a9042896f14e5
                        • Instruction ID: a478b33246b67ff7313430a183f11d77b5e313af9914d6309095d93a5fe49f09
                        • Opcode Fuzzy Hash: 638b0b6778bf47af338e41ad40fcffda6bb9859e1233b36c375a9042896f14e5
                        • Instruction Fuzzy Hash: 59314A75D0522D9BDF21DFA5DA897CCBBB8BF19304F1045AAE40CAB240EB749B849F44
                        Function 2DE0DA85 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 197stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Char$Next$mallocmemset$isspacelstrlen$ByteLeadPrevProfileString
                        • String ID: intl$sList
                        • API String ID: 1792931721-3643076868
                        • Opcode ID: bf8fbc612642cf501f2d6c9593b33af8d70f793b01dd504c461bb7771a5d14c1
                        • Instruction ID: 85f439606f4543b4cb57da21a7ab1d77fb6269e1b93010b229283cb028babac0
                        • Opcode Fuzzy Hash: bf8fbc612642cf501f2d6c9593b33af8d70f793b01dd504c461bb7771a5d14c1
                        • Instruction Fuzzy Hash: CE61F475900255AFDB118F65C8C4BBDBBF8EF0526AF10806AE985F7641DB7ACA40CF60
                        Function 2DE14681 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 188windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE12240: LoadResource.KERNEL32(2DE00000,00000000,2DE00000,?,000000F0), ref: 2DE1227A
                          • Part of subcall function 2DE12240: LockResource.KERNEL32(00000000), ref: 2DE12288
                          • Part of subcall function 2DE12240: SendDlgItemMessageA.USER32(00000001,?,?,00000000,00000000), ref: 2DE122D8
                          • Part of subcall function 2DE12240: FreeResource.KERNEL32(?), ref: 2DE122F0
                        • EndDialog.USER32(?,00000003), ref: 2DE146BC
                          • Part of subcall function 2DE06288: GetDlgItem.USER32(?,?), ref: 2DE06291
                        • ShowWindow.USER32(?,00000000,?,00000000), ref: 2DE146E7
                        • memset.MSVCR90 ref: 2DE14714
                        • memset.MSVCR90 ref: 2DE14723
                        • memset.MSVCR90 ref: 2DE1476C
                        • GetDC.USER32(00000000), ref: 2DE147BC
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 2DE147CB
                        • ReleaseDC.USER32(00000000,?), ref: 2DE147F2
                        • CreateFontIndirectW.GDI32(FFFFFFF5), ref: 2DE14828
                        • CreateFontIndirectW.GDI32(FFFFFFF5), ref: 2DE1483B
                        • CreateFontIndirectW.GDI32(FFFFFFF5), ref: 2DE1485F
                        • GetWindow.USER32(?,00000005), ref: 2DE1486A
                        • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 2DE1488A
                        • GetObjectW.GDI32(00000000,0000005C,?), ref: 2DE1489A
                        • SendMessageA.USER32(?,00000030,?,00000000), ref: 2DE148D0
                        • GetWindow.USER32(?,00000002), ref: 2DE148DA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CreateFontIndirectMessageResourceSendWindowmemset$Item$CapsDeviceDialogFreeLoadLockObjectReleaseShow
                        • String ID: @$@
                        • API String ID: 1409219205-149943524
                        • Opcode ID: dfd6ae548f6e67369d0b8e4d9439b5f187f1b678dd6663c1e9508cf80ad897a4
                        • Instruction ID: f1fc852bb682c3422807fdd19d565e8e8e16324926b382bc3b4a88d834d813cd
                        • Opcode Fuzzy Hash: dfd6ae548f6e67369d0b8e4d9439b5f187f1b678dd6663c1e9508cf80ad897a4
                        • Instruction Fuzzy Hash: E5616D71A042689EDB219B64CC44BEEBBF8BF18745F4045A9E20AF6290DB75DE80CF54
                        Function 2DE041B0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 106threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 2DE041EF
                        • GetWindowThreadProcessId.USER32(?,?), ref: 2DE041FC
                        • GetCurrentProcessId.KERNEL32 ref: 2DE04202
                        • GetLastError.KERNEL32 ref: 2DE04225
                        • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 2DE042AB
                        • SetLastError.KERNEL32(?), ref: 2DE042E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$Process$CurrentParentThreadWindow
                        • String ID: Unknown$W$n2ub$o2ub$openas$q2ub$r2ub$t2ub
                        • API String ID: 3874811631-1827479352
                        • Opcode ID: 664cb6042f8f2427c7b426443daa625d9676b55b495372ee7eb878a11a592400
                        • Instruction ID: 5624995efa62e45a80d2015e29ddcb3a68734019700b062c3cd6d2bf9985900d
                        • Opcode Fuzzy Hash: 664cb6042f8f2427c7b426443daa625d9676b55b495372ee7eb878a11a592400
                        • Instruction Fuzzy Hash: E631F6B2600605EFD701AFE1CA88A9E7AF8FF1465BB118529E616F7210CF74DE40CB64
                        Function 2DE09F94 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 365comfileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_GS.LIBCMT ref: 2DE09F9E
                        • ReadClassStg.OLE32(?,?,?,00000000,?,?,00000000,?), ref: 2DE0A089
                        • OleLoad.OLE32(?,2DE017D0,?,?), ref: 2DE0A0D6
                        • _strdup.MSVCR90(?), ref: 2DE0A1DB
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,000000FF,?,00000104,?,00000000,?,?), ref: 2DE0A250
                        • GetClassFile.OLE32(00000000), ref: 2DE0A25F
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,000000FF,?,00000104,2DE017D0,00000001,00000000,?,?,?), ref: 2DE0A2C3
                        • OleCreateLinkToFile.OLE32(00000000), ref: 2DE0A2D2
                        • OleSetContainedObject.OLE32(?,00000001), ref: 2DE0A31A
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharClassFileMultiWide$ContainedCreateH_prolog3_LinkLoadObjectRead_strdup
                        • String ID: HrThreadFuncWaitOnClose$L"-$Note
                        • API String ID: 1990140484-749375652
                        • Opcode ID: ff8526354651f11c4d5cfd00d36eaeef83786d052839b11786698df0265a969d
                        • Instruction ID: 1e9b259ac48dd1adc301392e6ee38f33c7b3e2d421be94de005b4b1ebb7b3f5d
                        • Opcode Fuzzy Hash: ff8526354651f11c4d5cfd00d36eaeef83786d052839b11786698df0265a969d
                        • Instruction Fuzzy Hash: 31D14C71604128AFCB169B64CC84FAA77B9EF48701F1540A4F609FB251DB74AF81CB60
                        Function 2DE09A90 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 180stringCOMMON
                        Download Yara Rule
                        APIs
                        • _splitpath_s.MSVCR90 ref: 2DE09ADD
                          • Part of subcall function 2DE08FD6: lstrlenA.KERNEL32(?), ref: 2DE08FE3
                        • _splitpath_s.MSVCR90 ref: 2DE09B35
                        • lstrlenA.KERNEL32(?), ref: 2DE09B5F
                        • _makepath_s.MSVCR90 ref: 2DE09B8C
                        • CloseHandle.KERNEL32(00000000), ref: 2DE09BCE
                          • Part of subcall function 2DE08FD6: IsCharAlphaNumericA.USER32(?,?), ref: 2DE09017
                          • Part of subcall function 2DE04609: _vsnprintf.MSVCR90 ref: 2DE0463A
                        • CharPrevA.USER32(?,?), ref: 2DE09C00
                        • lstrlenA.KERNEL32(?), ref: 2DE09C53
                        • _makepath_s.MSVCR90 ref: 2DE09C81
                        • GetLastError.KERNEL32 ref: 2DE09CA1
                        • CloseHandle.KERNEL32(00000000), ref: 2DE09CCB
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: lstrlen$CharCloseHandle_makepath_s_splitpath_s$AlphaErrorLastNumericPrev_vsnprintf
                        • String ID: %s%x$.
                        • API String ID: 3070513225-3101762996
                        • Opcode ID: c380954a205d623cb66a27fe5a850227fcbf912c343e0c476c3aab25ebe947b6
                        • Instruction ID: de830af3b0f30261b6ab76716317b26e3682d5680cbc4ed736ce115ce1889152
                        • Opcode Fuzzy Hash: c380954a205d623cb66a27fe5a850227fcbf912c343e0c476c3aab25ebe947b6
                        • Instruction Fuzzy Hash: 286139B690011CAEDB209F60CD84FEBB7BCEB25346F0045A5E65AF2141EA359F84CF64
                        Function 2DE036BC Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 45libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(olmapi32.dll,?,2DE03757), ref: 2DE036EB
                        • GetProcAddress.KERNEL32(00000000,SetGuardValue), ref: 2DE03704
                        • GetProcAddress.KERNEL32(00000000,GetGuardValue), ref: 2DE03711
                        • GetProcAddress.KERNEL32(00000000,SetExemptValue), ref: 2DE0371E
                        • GetProcAddress.KERNEL32(00000000,GetExemptValue), ref: 2DE0372B
                        • GetProcAddress.KERNEL32(00000000,AssertGuardedAPIAllowed), ref: 2DE03738
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: AssertGuardedAPIAllowed$GetExemptValue$GetGuardValue$SetExemptValue$SetGuardValue$olmapi32.dll
                        • API String ID: 667068680-308179802
                        • Opcode ID: 2da1637b33e42520db35a5d7ec3998ebfb3160fb8f0dfab416e0f88474edc647
                        • Instruction ID: 988fb480c345da6b462c81b053b744b3773b4339da8b9e9e132506be8564a9c1
                        • Opcode Fuzzy Hash: 2da1637b33e42520db35a5d7ec3998ebfb3160fb8f0dfab416e0f88474edc647
                        • Instruction Fuzzy Hash: FAF0A4729013116AC3016F799C4CBA67FF8EF95E16308009BF06AFF21ADEB89451CB55
                        Function 2DE036DC Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(olmapi32.dll,?,2DE03757), ref: 2DE036EB
                        • GetProcAddress.KERNEL32(00000000,SetGuardValue), ref: 2DE03704
                        • GetProcAddress.KERNEL32(00000000,GetGuardValue), ref: 2DE03711
                        • GetProcAddress.KERNEL32(00000000,SetExemptValue), ref: 2DE0371E
                        • GetProcAddress.KERNEL32(00000000,GetExemptValue), ref: 2DE0372B
                        • GetProcAddress.KERNEL32(00000000,AssertGuardedAPIAllowed), ref: 2DE03738
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: AssertGuardedAPIAllowed$GetExemptValue$GetGuardValue$SetExemptValue$SetGuardValue$olmapi32.dll
                        • API String ID: 667068680-308179802
                        • Opcode ID: ffc7b254352cf169da9c06b4b7315b3856ebb7b7dee4b2775e132e7724cf2903
                        • Instruction ID: e0cd10a272b55b308a936e0bffb4ee0005b5159f6a0e10c4fde9fcb6ec60735c
                        • Opcode Fuzzy Hash: ffc7b254352cf169da9c06b4b7315b3856ebb7b7dee4b2775e132e7724cf2903
                        • Instruction Fuzzy Hash: E5F090729013256AC3046F39CC4CFA6BEF8EB90E16B04045BB02AFB315DBB89410CE54
                        Function 2DE0BCEB Relevance: 19.6, APIs: 13, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE0BD3B
                        • EnableWindow.USER32(?,00000001), ref: 2DE0BD49
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD63
                        • EnableWindow.USER32(?,00000001), ref: 2DE0BD6D
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD92
                        • ShowWindow.USER32(?,00000000), ref: 2DE0BDB0
                        • EnableWindow.USER32(?,00000000), ref: 2DE0BDBD
                        • ShowWindow.USER32(?,00000000), ref: 2DE0BDCA
                        • EnableWindow.USER32(?,00000000), ref: 2DE0BDD7
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE1E
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE3D
                        • DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE59
                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,0000000C), ref: 2DE0BE86
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Defer$Enable$Show$Rect
                        • String ID:
                        • API String ID: 3661885419-0
                        • Opcode ID: eecf1b75bd186642706e7a15d1bb290a6188f4abe5dc8f695ac0815e82b51720
                        • Instruction ID: 0ed2a44ee243fdbb2ef71b4a8379aa11c53314dec4cc464ba6735a971b866519
                        • Opcode Fuzzy Hash: eecf1b75bd186642706e7a15d1bb290a6188f4abe5dc8f695ac0815e82b51720
                        • Instruction Fuzzy Hash: 845195B6500609AFDB11DFA8CC84EEABBF9FF48345F004419F96A96260D771AD50DF60
                        Function 2DE08587 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE085A1
                        • ScreenToClient.USER32(?,?), ref: 2DE085AA
                        • GetWindowRect.USER32(?,?), ref: 2DE085CB
                        • ScreenToClient.USER32(?,?), ref: 2DE085D4
                        • GetWindowRect.USER32(?,?), ref: 2DE085EE
                        • ScreenToClient.USER32(?,?), ref: 2DE08609
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 2DE08620
                        • MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE08635
                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE08643
                        • SendMessageA.USER32(?,00000441,00000000,00000000), ref: 2DE08654
                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE08662
                        • GetWindowRect.USER32(?,?), ref: 2DE0866E
                        • ScreenToClient.USER32(?,?), ref: 2DE08677
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$ClientRectScreen$MessageSend$Move
                        • String ID:
                        • API String ID: 442886372-0
                        • Opcode ID: 13306a61e9a0b6b5bd1c820945d2b3ca7b5496e6a891c2c3e65446d3432abdfe
                        • Instruction ID: 67756aeb0e198cde58ebb18b7465ba080efbe278f67839f37bd033683e832fd5
                        • Opcode Fuzzy Hash: 13306a61e9a0b6b5bd1c820945d2b3ca7b5496e6a891c2c3e65446d3432abdfe
                        • Instruction Fuzzy Hash: 0A41D276900609AFDB12DFA8CA45BDEBBF9FF08701F104465F612F6260D772AA10DB14
                        Function 2DE08C62 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE08C69
                        • ??_U@YAPAXI@Z.MSVCR90(00001000,00000030,2DE09EEC,00000000,?,?,00000014,2DE0A4D2), ref: 2DE08CA0
                          • Part of subcall function 2DE13812: Mailbox.LIBCMT ref: 2DE159AE
                          • Part of subcall function 2DE06995: LoadCursorA.USER32(00000000,?), ref: 2DE069A0
                          • Part of subcall function 2DE06995: SetCursor.USER32(00000000), ref: 2DE069A7
                        • SetCursor.USER32(L"-,00000000), ref: 2DE08CF7
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE08D03
                        • GetLastError.KERNEL32 ref: 2DE08D3F
                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 2DE08DA9
                        • GetLastError.KERNEL32 ref: 2DE08DB5
                        • CloseHandle.KERNEL32(000000FF), ref: 2DE08DC9
                        • SetCursor.USER32(L"-), ref: 2DE08DD2
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE08DDE
                          • Part of subcall function 2DE10293: LoadStringW.USER32(?,?,?,00000200), ref: 2DE10398
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Cursor$ErrorLastLoad$CloseFileH_prolog3_catchHandleMailboxReadString
                        • String ID: L"-
                        • API String ID: 318333782-653488915
                        • Opcode ID: c72aa40b642ab750a6b29e80ed70b053074ee9c90098a300b2bd53947873a5e2
                        • Instruction ID: 4971d3a002306baf27dbb85bec56b530cf0803773d299f597d0516b688d12f68
                        • Opcode Fuzzy Hash: c72aa40b642ab750a6b29e80ed70b053074ee9c90098a300b2bd53947873a5e2
                        • Instruction Fuzzy Hash: D2513A71900209EFCB05AFA4C884AEDBBB9FF18715F108659F625BB291CB348E45CB60
                        Function 2DE0F1BA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 126registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,00000000,?,80000000), ref: 2DE0F246
                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 2DE0F26D
                        • RegCloseKey.ADVAPI32(?), ref: 2DE0F29F
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 2DE0F2DA
                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 2DE0F301
                        • GetSystemDefaultLCID.KERNEL32 ref: 2DE0F31B
                        • RegCloseKey.ADVAPI32(?), ref: 2DE0F32F
                        • GetSystemDefaultLCID.KERNEL32 ref: 2DE0F337
                        Strings
                        • UILanguage, xrefs: 2DE0F1FC
                        • Software\Policies\Microsoft\Office\14.0\Common\LanguageResources, xrefs: 2DE0F1D2
                        • Software\Microsoft\Office\14.0\Common\LanguageResources, xrefs: 2DE0F1F2
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseDefaultOpenQuerySystemValue
                        • String ID: Software\Microsoft\Office\14.0\Common\LanguageResources$Software\Policies\Microsoft\Office\14.0\Common\LanguageResources$UILanguage
                        • API String ID: 1931360540-2478438763
                        • Opcode ID: 8b7d7f2f51cf58a17fe12ffb29efd41d556ee8cc938cac258ad6e5ab258ae6ad
                        • Instruction ID: 7c40d89992d10d377e8a6cbc057cf58f26daefa917ffd8804153a0443dfdc308
                        • Opcode Fuzzy Hash: 8b7d7f2f51cf58a17fe12ffb29efd41d556ee8cc938cac258ad6e5ab258ae6ad
                        • Instruction Fuzzy Hash: 0D514C76A00228DFEB22CF60CC81FEAB7B8BB49715F0040D5E509FA281DB759A85CF51
                        Function 2DE183CC Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 2DE183F5
                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,msi.dll,?,00000106), ref: 2DE1844A
                        • LoadLibraryW.KERNEL32(msi.dll), ref: 2DE18457
                        • GetProcAddress.KERNEL32(00000000,MsiGetProductCodeW), ref: 2DE18473
                        • GetProcAddress.KERNEL32(00000000,MsiProvideQualifiedComponentExW), ref: 2DE18481
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc$DirectorySystem
                        • String ID: MsiGetProductCodeW$MsiProvideQualifiedComponentExW$msi.dll$mso14.dll${1E77DE88-BCAB-4C37-B9E5-073AF52DFD7A}
                        • API String ID: 2381529825-3601640118
                        • Opcode ID: a561deea7513b478ab3a10dadaa1a62ff6dfc47870307986edab1943f2b586c8
                        • Instruction ID: a91da5b507411d3708a7b20a1b27f830a33c0404a843497ae4905b4efc26384c
                        • Opcode Fuzzy Hash: a561deea7513b478ab3a10dadaa1a62ff6dfc47870307986edab1943f2b586c8
                        • Instruction Fuzzy Hash: F94163B2904118ABDB109BA4CCC8ABE77BCEB48745F5044AAE246F7140EF358E84CF25
                        Function 2DE0BFE9 Relevance: 18.2, APIs: 12, Instructions: 158windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE0C02A
                        • ScreenToClient.USER32(?,?), ref: 2DE0C033
                        • MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE0C04C
                          • Part of subcall function 2DE0BCEB: GetWindowRect.USER32(?,?), ref: 2DE0BD3B
                          • Part of subcall function 2DE0BCEB: EnableWindow.USER32(?,00000001), ref: 2DE0BD49
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD63
                          • Part of subcall function 2DE0BCEB: EnableWindow.USER32(?,00000001), ref: 2DE0BD6D
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BD92
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE1E
                          • Part of subcall function 2DE0BCEB: DeferWindowPos.USER32(?,?,00000000,?,?,00000000,00000000,0000000D), ref: 2DE0BE3D
                        • GetWindowRect.USER32(?,?), ref: 2DE0C0AB
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 2DE0C0DD
                        • SendMessageA.USER32(?,00000441,00000000,00000000), ref: 2DE0C0ED
                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE0C16A
                        • BeginDeferWindowPos.USER32(0000000A), ref: 2DE0C16E
                        • DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,0000000C), ref: 2DE0C18E
                        • EndDeferWindowPos.USER32(?), ref: 2DE0C1B7
                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE0C1C6
                        • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 2DE0C1D4
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Defer$MessageRectSend$EnableMove$BeginClientRedrawScreen
                        • String ID:
                        • API String ID: 245351979-0
                        • Opcode ID: 392ea8f409f4386b18b170c153050fe4b01714af582ebd3f89f5033f5cffc7eb
                        • Instruction ID: 295d596dd3f76bd9212eee26ef93498588e950c10c010ea7f913e2cbf4e7fe7c
                        • Opcode Fuzzy Hash: 392ea8f409f4386b18b170c153050fe4b01714af582ebd3f89f5033f5cffc7eb
                        • Instruction Fuzzy Hash: 37513E72600B05AFDB21DFA4CD85F9ABBF5FB08705F104919E696EA690C775E910CB04
                        Function 6C9005DE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C900297: CreateFileW.KERNEL32(?,00000000,?,6C900687,?,?,00000000,?,6C900687,?,0000000C), ref: 6C9002B4
                        • GetLastError.KERNEL32 ref: 6C9006F2
                        • __dosmaperr.LIBCMT ref: 6C9006F9
                        • GetFileType.KERNEL32(00000000), ref: 6C900705
                        • GetLastError.KERNEL32 ref: 6C90070F
                        • __dosmaperr.LIBCMT ref: 6C900718
                        • CloseHandle.KERNEL32(00000000), ref: 6C900738
                        • CloseHandle.KERNEL32(6C8F85C2), ref: 6C900885
                        • GetLastError.KERNEL32 ref: 6C9008B7
                        • __dosmaperr.LIBCMT ref: 6C9008BE
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: 6a6017600685a686db84439d27ffb70378f80faca1b11dd50f5d5bf23bc2e373
                        • Instruction ID: 18e9ab0619ed906b306d51282b73ef8bb1a0db93082cb9fa3bd2522850f4810e
                        • Opcode Fuzzy Hash: 6a6017600685a686db84439d27ffb70378f80faca1b11dd50f5d5bf23bc2e373
                        • Instruction Fuzzy Hash: 2CA11332B181989FCF199F68C851BAD3BB5AB47328F28025DE815DB791CB358816CB51
                        Function 2DE0F729 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 171stringwindowCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?), ref: 2DE0F7D8
                        • GetACP.KERNEL32(00000000,?,000000FF,?,000001FC), ref: 2DE0F7F2
                        • MultiByteToWideChar.KERNEL32(00000000), ref: 2DE0F7F9
                        • GetModuleHandleW.KERNEL32(mso.dll), ref: 2DE0F8C8
                        • MessageBoxW.USER32(00000000,?,00000000), ref: 2DE0F923
                        • CallNextHookEx.USER32(?,?,?), ref: 2DE0F93C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCallCharHandleHookMessageModuleMultiNextWidelstrlen
                        • String ID: %ld - [%08lX:%08lX]$%ld - [%08lX]$[%08lX]$mso.dll
                        • API String ID: 3435520019-1696869425
                        • Opcode ID: 68f3c54ecd80c65536ec49c389a65933bee6bc23486708add81df32937fdc499
                        • Instruction ID: 6632497b15fad154614427512545517cd3e14c49dc6dc6b80a62fbfdef9efb69
                        • Opcode Fuzzy Hash: 68f3c54ecd80c65536ec49c389a65933bee6bc23486708add81df32937fdc499
                        • Instruction Fuzzy Hash: 015112B2A00204AEE7059F74CC44FBA33B9EB84B06F108564F716F6292EE35CD55CB65
                        Function 2DE05300 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE05307
                          • Part of subcall function 2DE050C9: GetModuleHandleW.KERNEL32(KERNEL32), ref: 2DE050CF
                          • Part of subcall function 2DE050C9: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 2DE050E9
                          • Part of subcall function 2DE050C9: GetProcAddress.KERNEL32(00000000,GetSystemDEPPolicy), ref: 2DE050F3
                          • Part of subcall function 2DE050C9: SetProcessDEPPolicy.KERNEL32(00000001), ref: 2DE05106
                        • malloc.MSVCR90 ref: 2DE0533A
                        • malloc.MSVCR90 ref: 2DE0534B
                        • LoadStringW.USER32(000089E8,00000100), ref: 2DE05378
                        • LoadStringW.USER32(000089E9,00000100), ref: 2DE05394
                        • CoBuildVersion.OLE32 ref: 2DE0539E
                        • CoRegisterClassObject.OLE32(2DE01870,00000000,00000004,00000001,?,00000000), ref: 2DE0542A
                          • Part of subcall function 2DE107A6: malloc.MSVCR90 ref: 2DE107AD
                          • Part of subcall function 2DE107A6: memset.MSVCR90 ref: 2DE107C5
                        • CoRegisterClassObject.OLE32(2DE01880,00000000,00000004,00000001,?), ref: 2DE0548A
                        • LoadIconA.USER32(000088B8), ref: 2DE054D3
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Loadmalloc$AddressClassObjectProcRegisterString$BuildH_prolog3_catchHandleIconModulePolicyProcessVersionmemset
                        • String ID: P'-
                        • API String ID: 1755118194-2584166019
                        • Opcode ID: 28f7e23118dc3acc643fd7b8ac87c173cb4aaf25c63295a351871c1544e6cff4
                        • Instruction ID: e9248fa266bd0ab0321e40bbad4e779263de8f3c427335b518fade255b8144fc
                        • Opcode Fuzzy Hash: 28f7e23118dc3acc643fd7b8ac87c173cb4aaf25c63295a351871c1544e6cff4
                        • Instruction Fuzzy Hash: 1951A171604301EAEB019BB48884BBE77F9EB54702F114429E656F7281DF74CE45CB75
                        Function 2DE03FCE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        • MonitorFromWindow.USER32(?,00000002), ref: 2DE03FF3
                        • GetMonitorInfoA.USER32(00000000,00000028), ref: 2DE04002
                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 2DE04020
                        • GetWindowRect.USER32(00000000,?), ref: 2DE0403A
                        • GetWindowRect.USER32(?,?), ref: 2DE0404F
                        • OffsetRect.USER32(?,?,?), ref: 2DE04071
                        • OffsetRect.USER32(?,?,?), ref: 2DE04083
                        • OffsetRect.USER32(?,?,?), ref: 2DE04095
                        • SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000015), ref: 2DE040F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Rect$Window$Offset$InfoMonitor$FromParametersSystem
                        • String ID: (
                        • API String ID: 4041948150-3887548279
                        • Opcode ID: bcdddc2fbb7ce1fd213c2208a322fd5db06f06bde79b51b33d8f3d453df6a6b7
                        • Instruction ID: 77c544383c1879327f06983830d1c02703d5717c1e0533ad171fb3cd03f375ce
                        • Opcode Fuzzy Hash: bcdddc2fbb7ce1fd213c2208a322fd5db06f06bde79b51b33d8f3d453df6a6b7
                        • Instruction Fuzzy Hash: D6411672900129AFDF01DEA8CD49EEEB7B9FF09312F018515F905FB140DA75AA05CAA1
                        Function 2DE07F1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(0000000F), ref: 2DE07F43
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Color
                        • String ID: ToolbarWindow32
                        • API String ID: 2811717613-4104838417
                        • Opcode ID: 2ab60dcac5baf6bb9fae96b4d6f8d27d49f2f4fdf497751750df43edbe0d005e
                        • Instruction ID: c797d141d1d3883edc3d9a7a90880dc866bc37ce7b681b71bf71d112a2fc20fe
                        • Opcode Fuzzy Hash: 2ab60dcac5baf6bb9fae96b4d6f8d27d49f2f4fdf497751750df43edbe0d005e
                        • Instruction Fuzzy Hash: 1F51D4B1D4438CAEEB119FA88C81BEEBFB9FF59744F40442DE185B7282C6750805CB25
                        Function 2DE16050 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetVersion.KERNEL32 ref: 2DE16055
                        • LoadCursorA.USER32(00000000,00007F02), ref: 2DE160C7
                        • LoadCursorA.USER32(00000000,00007F00), ref: 2DE160D2
                        • GetModuleHandleA.KERNEL32(USER32.DLL), ref: 2DE160E4
                        • GetProcAddress.KERNEL32(00000000,SetScrollInfo), ref: 2DE160F8
                        • GetProcAddress.KERNEL32(00000000,GetScrollInfo), ref: 2DE16103
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressCursorLoadProc$HandleModuleVersion
                        • String ID: GetScrollInfo$SetScrollInfo$USER32.DLL
                        • API String ID: 3295075773-1004610577
                        • Opcode ID: 1eba720bb6c36f43fd72991fa9cef78ea57288b4313243eb17b2792ac18ffcbb
                        • Instruction ID: c47a7faa6d8b0227adf5dab4a68e6e4710002941c9648e46e0793025975227e8
                        • Opcode Fuzzy Hash: 1eba720bb6c36f43fd72991fa9cef78ea57288b4313243eb17b2792ac18ffcbb
                        • Instruction Fuzzy Hash: A611B4B1B147518FC7289F7A888052ABAE9FB89606341493EE58BF3B51DA34E805CF54
                        Function 2DE10444 Relevance: 15.2, APIs: 10, Instructions: 228stringCOMMON
                        Download Yara Rule
                        APIs
                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 2DE10454
                        • lstrlenW.KERNEL32(?,00000007,?), ref: 2DE105C3
                        • lstrlenW.KERNEL32(?), ref: 2DE105D1
                        • GetACP.KERNEL32(00000000,?,000000FF,?,?,00000000,00000000,-00000013,?), ref: 2DE1068B
                        • WideCharToMultiByte.KERNEL32(00000000), ref: 2DE10694
                        • GetACP.KERNEL32(00000000,?,000000FF,?,?,00000000,00000000), ref: 2DE106C0
                        • WideCharToMultiByte.KERNEL32(00000000), ref: 2DE106C3
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiWidelstrlen$Read
                        • String ID:
                        • API String ID: 3283085596-0
                        • Opcode ID: a68fe9bf361fa882e981f7bc5e13af20647d4b7a11db2f98ea1b66025d25eb58
                        • Instruction ID: c8b53590c37ef724fd5d91c9f448a7f496b27f7cba7d678864240d19d94bf70f
                        • Opcode Fuzzy Hash: a68fe9bf361fa882e981f7bc5e13af20647d4b7a11db2f98ea1b66025d25eb58
                        • Instruction Fuzzy Hash: C2910976A00109EFCB05CF98C980EA9BBF5FF48314B258499E915BB251DB36EE41DF90
                        Function 2DE18822 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67registrylibraryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00020019,?), ref: 2DE18862
                        • RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,0000020A), ref: 2DE1888C
                        • RegCloseKey.ADVAPI32(?), ref: 2DE188A2
                        • LoadLibraryW.KERNEL32(?,\Microsoft Shared\office14\mso.dll,?,00000105), ref: 2DE188E1
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 2DE18846
                        • \Microsoft Shared\office14\mso.dll, xrefs: 2DE188D0
                        • mso.dll, xrefs: 2DE188ED
                        • CommonFilesDir, xrefs: 2DE18881
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseLibraryLoadOpenQueryValue
                        • String ID: CommonFilesDir$Software\Microsoft\Windows\CurrentVersion$\Microsoft Shared\office14\mso.dll$mso.dll
                        • API String ID: 3751545530-1101215619
                        • Opcode ID: c8d833a188daccb41fc1b09bb0f4e7fe9d4bef7075bbbddee5e7968869715a63
                        • Instruction ID: 370d49b2195adcbbf26a1951422e1d59c8951ebf9aa13338ddd935fd53c0911b
                        • Opcode Fuzzy Hash: c8d833a188daccb41fc1b09bb0f4e7fe9d4bef7075bbbddee5e7968869715a63
                        • Instruction Fuzzy Hash: E1217F31A4522DABC721EA64CCCDEEEB7B8EB14742F4000A5E55AF6251DE709E84CB94
                        Function 2DE0381E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetVersion.KERNEL32 ref: 2DE03837
                        • GetFileAttributesW.KERNEL32(???.???), ref: 2DE03842
                        • GetModuleHandleA.KERNEL32(Unicows.dll), ref: 2DE0384D
                        • GetProcAddress.KERNEL32(00000000,?), ref: 2DE03875
                        • GetVersion.KERNEL32 ref: 2DE03888
                        • GetProcAddress.KERNEL32(00000000,?), ref: 2DE038A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressProcVersion$AttributesFileHandleModule
                        • String ID: ???.???$Unicows.dll
                        • API String ID: 3183861727-2162356649
                        • Opcode ID: e8e219809b013d43b3d314c81efa147e24bc2402a84ff571fa5e9cc5c0b92630
                        • Instruction ID: fa81cac4052d2628061e5d0508ff01a45a3444face8aa59a4143dbbbde494ed5
                        • Opcode Fuzzy Hash: e8e219809b013d43b3d314c81efa147e24bc2402a84ff571fa5e9cc5c0b92630
                        • Instruction Fuzzy Hash: DB119132600206EFD7019FE9C848B69B7F8EF04756B1040A5F845FB251DB78E910CB24
                        Function 6C8E1920 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,6C8DCF5A,6C8DCF5C,00000000,00000000,528C51E4,?,?,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A,0000000C), ref: 6C8E19A9
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,6C8DCF5A,?,00000000,00000000,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A), ref: 6C8E1A24
                        • SysAllocString.OLEAUT32(00000000), ref: 6C8E1A2F
                        • _com_issue_error.COMSUPP ref: 6C8E1A58
                        • _com_issue_error.COMSUPP ref: 6C8E1A62
                        • GetLastError.KERNEL32(80070057,528C51E4,?,?,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A,0000000C,?,6C8DCF5A), ref: 6C8E1A67
                        • _com_issue_error.COMSUPP ref: 6C8E1A7A
                        • GetLastError.KERNEL32(00000000,?,?,?,6C8DCF5A,00000000,?,6C8D3AA5,6C8DCF5A,0000000C,?,6C8DCF5A), ref: 6C8E1A90
                        • _com_issue_error.COMSUPP ref: 6C8E1AA3
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                        • String ID:
                        • API String ID: 1353541977-0
                        • Opcode ID: bc889f977c46543d857ae41a73b0726673fe47b70cb55173c2ea68ba6725fb13
                        • Instruction ID: 756918b99bd01fdcd0480f26254200bdf5cdb07947fb73846d2168516d27266a
                        • Opcode Fuzzy Hash: bc889f977c46543d857ae41a73b0726673fe47b70cb55173c2ea68ba6725fb13
                        • Instruction Fuzzy Hash: 7E412872B042199BCB20DF68CA40BEEBBB8AB4E754F20463DE515E7B41D734D544CBA0
                        Function 6C8E5646 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 6C8E5765
                        • ___TypeMatch.LIBVCRUNTIME ref: 6C8E5873
                        • _UnwindNestedFrames.LIBCMT ref: 6C8E59C5
                        • CallUnexpected.LIBVCRUNTIME ref: 6C8E59E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: 2bfab5c363702beb46ae8b9f1aa2629cd3561b294ad2a863858529e096e841d1
                        • Instruction ID: 503aa5d7e4449b3d82d9ab5354676608193e9b0df341705cb21837b33d0edfa1
                        • Opcode Fuzzy Hash: 2bfab5c363702beb46ae8b9f1aa2629cd3561b294ad2a863858529e096e841d1
                        • Instruction Fuzzy Hash: 62B1AE31800319EFCF24DFA5DA809DEB7B5FF0E318B14496AE8146BA11C731EA65CB91
                        Function 2DE0C374 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 226windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE0C37B
                        • DrawFocusRect.USER32(?,?), ref: 2DE0C3D9
                        • PatBlt.GDI32(?,?,?,?,?,00FF0062), ref: 2DE0C421
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: DrawFocusH_prolog3_catchRect
                        • String ID: ...
                        • API String ID: 1217028765-440645147
                        • Opcode ID: bcabece07dfa2d26e0098002f728779582adff982a86f0164d042d6ce9e659aa
                        • Instruction ID: 923dcaa54c14ee2e312f531f88915f41705df3fbee8760594fb78c26d6aa5b86
                        • Opcode Fuzzy Hash: bcabece07dfa2d26e0098002f728779582adff982a86f0164d042d6ce9e659aa
                        • Instruction Fuzzy Hash: 48914670904249DFDB15CFA4C994AAEBBB5FF28305F21415CEA46B7291DF30AE09CB60
                        Function 2DE185D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77registryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCR90 ref: 2DE18605
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00020019,000000FF), ref: 2DE18659
                        • RegQueryValueExW.ADVAPI32(000000FF,CommonFilesDir,00000000,00000000,?,0000020A), ref: 2DE1867E
                          • Part of subcall function 2DE18540: LoadLibraryW.KERNEL32(?), ref: 2DE185BC
                        • RegCloseKey.ADVAPI32(000000FF), ref: 2DE186CA
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 2DE1864F
                        • Microsoft Shared\office14\, xrefs: 2DE1861A
                        • CommonFilesDir, xrefs: 2DE18673
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseLibraryLoadOpenQueryValuememset
                        • String ID: CommonFilesDir$Microsoft Shared\office14\$Software\Microsoft\Windows\CurrentVersion
                        • API String ID: 79794857-3032397660
                        • Opcode ID: 36f6e2e8efc4a1afc073490d849ddbc5e79cd0c02741d218dd8b772c7fc5326f
                        • Instruction ID: 3179c54ee98db966a47d3ae70f41689afa1a0afbf442958fca9fbd6fd9890271
                        • Opcode Fuzzy Hash: 36f6e2e8efc4a1afc073490d849ddbc5e79cd0c02741d218dd8b772c7fc5326f
                        • Instruction Fuzzy Hash: 9C217C71A0422CAFDB22DB64CC80EEAB7BCEB08754F4001A5A559F6191DA30DF85CFA4
                        Function 2DE0FB74 Relevance: 12.2, APIs: 8, Instructions: 194stringthreadCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(00000000,?,80000000), ref: 2DE0FBFE
                        • lstrlenA.KERNEL32(00000000,?,80000000), ref: 2DE0FC06
                        • LoadStringW.USER32(?,?,?,00000200), ref: 2DE0FC79
                        • GetACP.KERNEL32(00000000,00000201,000000FF,?,00000201,00000201,?,?,80000000), ref: 2DE0FCEA
                        • MultiByteToWideChar.KERNEL32(00000000), ref: 2DE0FCF1
                        • GetCurrentThreadId.KERNEL32 ref: 2DE0FCF7
                        • SetWindowsHookExW.USER32(000000FF,2DE0F729,00000000,00000000), ref: 2DE0FD06
                        • UnhookWindowsHookEx.USER32(00000000), ref: 2DE0FD70
                          • Part of subcall function 2DE0F61C: GetModuleHandleW.KERNEL32(mso.dll,?,2DE0FBDC,?,00000201,?,?,80000000), ref: 2DE0F624
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: HookWindowslstrlen$ByteCharCurrentHandleLoadModuleMultiStringThreadUnhookWide
                        • String ID:
                        • API String ID: 4184960637-0
                        • Opcode ID: 065262e888bcc708b1f284206782184192a233539428be98c1ed4cef9a25e176
                        • Instruction ID: 9e26e9592c1b3ef935f090cda8942afb7a38772dde86cd67278933ade216867e
                        • Opcode Fuzzy Hash: 065262e888bcc708b1f284206782184192a233539428be98c1ed4cef9a25e176
                        • Instruction Fuzzy Hash: 9A616F72A00205EFCB01DFA4C985A6EBBB4FF08756F10452AFA16F7290CB34D964CB95
                        Function 2DE172DD Relevance: 12.1, APIs: 8, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        • ??_V@YAXPAX@Z.MSVCR90(?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?,?), ref: 2DE172FC
                        • ??_U@YAPAXI@Z.MSVCR90(?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?,?), ref: 2DE1731A
                        • memset.MSVCR90 ref: 2DE17326
                        • memset.MSVCR90 ref: 2DE1734F
                        • ??_U@YAPAXI@Z.MSVCR90(?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?,?), ref: 2DE1739F
                        • memcpy.MSVCR90(00000000,?,?,?,?,?,?,?,2DE15264,?,000000FF,?,?,?,2DE0A56B,?), ref: 2DE173B1
                        • memset.MSVCR90 ref: 2DE173C7
                        • ??_V@YAXPAX@Z.MSVCR90(?,?,00000000,?,00000000,?,?,?,?,?,?,?,2DE15264,?,000000FF), ref: 2DE173CF
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: memset$memcpy
                        • String ID:
                        • API String ID: 368790112-0
                        • Opcode ID: cab2f0a68c08a215e292c57bf758677830bf06002173c9b7a8a0609d3745db6e
                        • Instruction ID: 01e67216fbd168e9696475533a605f4c877463738e65f529f3b1af394df0e4cf
                        • Opcode Fuzzy Hash: cab2f0a68c08a215e292c57bf758677830bf06002173c9b7a8a0609d3745db6e
                        • Instruction Fuzzy Hash: 0131C5B1704700DBD721AF69CCC2E1EB7D5EB44A54B21C92DEA6AFB640DA30EC44CB40
                        Function 2DE13210 Relevance: 12.1, APIs: 8, Instructions: 71COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE13217
                        • CloseHandle.KERNEL32(?,00000004,2DE04F48,00000004,2DE04F78), ref: 2DE13234
                        • Mailbox.LIBCMT ref: 2DE13266
                        • Mailbox.LIBCMT ref: 2DE13277
                        • Mailbox.LIBCMT ref: 2DE13288
                        • Mailbox.LIBCMT ref: 2DE13299
                        • Mailbox.LIBCMT ref: 2DE132AA
                        • ??3@YAXPAX@Z.MSVCR90(00000000,00000004,2DE04F48,00000004,2DE04F78), ref: 2DE132DE
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Mailbox$??3@CloseH_prolog3Handle
                        • String ID:
                        • API String ID: 1655960846-0
                        • Opcode ID: f279f09d6a0b4f1a54489b2b22a88a0736dae57d32d307f9707cba6c43cbac02
                        • Instruction ID: f50f39fb23b1299c94324f8a5f5e8def76818ed0c64aaa32ecb0b1b37edad16d
                        • Opcode Fuzzy Hash: f279f09d6a0b4f1a54489b2b22a88a0736dae57d32d307f9707cba6c43cbac02
                        • Instruction Fuzzy Hash: A92136747047029BCB24AFA18491A6DBBE2FF64304F52092DC3DA77681CE71ED88CB91
                        Function 2DE0F952 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: isdigit
                        • String ID: z
                        • API String ID: 2326231117-1657960367
                        • Opcode ID: ac17b01145ba7ca2fbfc3fa967c8219a4834eb07b47c83a8880dca6859013e69
                        • Instruction ID: ecc6e3a7f133e5940974b534aaebc0fa7f412d777ee8df15538e836b9cb1db30
                        • Opcode Fuzzy Hash: ac17b01145ba7ca2fbfc3fa967c8219a4834eb07b47c83a8880dca6859013e69
                        • Instruction Fuzzy Hash: B471A271D0061AEFCF01DFA4C840AAEB7B4FF8431AF608556E952BB280DB349A61CF51
                        Function 2DE0657A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch_GS.LIBCMT ref: 2DE06584
                          • Part of subcall function 2DE1127F: __EH_prolog3_catch.LIBCMT ref: 2DE11286
                          • Part of subcall function 2DE0646A: GetWindowRect.USER32(?,?), ref: 2DE0647F
                          • Part of subcall function 2DE0646A: ScreenToClient.USER32(?,?), ref: 2DE0648C
                          • Part of subcall function 2DE0646A: MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE064A2
                          • Part of subcall function 2DE0646A: SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE064D5
                          • Part of subcall function 2DE0646A: MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 2DE064EA
                          • Part of subcall function 2DE0646A: SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE064F8
                          • Part of subcall function 2DE0646A: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 2DE06508
                        • GetDlgItem.USER32(00000001,000088C2), ref: 2DE065CD
                          • Part of subcall function 2DE04745: _wcsicmp.MSVCR90 ref: 2DE04757
                        • EnableWindow.USER32(?,00000000), ref: 2DE06778
                        • SetWindowTextW.USER32(?,?), ref: 2DE0679E
                        • SetFocus.USER32(?), ref: 2DE067BA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$MessageMoveSend$ClientEnableFocusH_prolog3_catchH_prolog3_catch_ItemRectRedrawScreenText_wcsicmp
                        • String ID: IPM.Conflict.Message
                        • API String ID: 3324545711-3689180561
                        • Opcode ID: 89563ce0b3311e031b671a500e1268eac639902acf466ff22f93cf609b6259ac
                        • Instruction ID: b3752bfa17b56596601b3db8dcab7f0adfb8ff7e85b8668bb76bba10a4b40695
                        • Opcode Fuzzy Hash: 89563ce0b3311e031b671a500e1268eac639902acf466ff22f93cf609b6259ac
                        • Instruction Fuzzy Hash: F7518370E4825A9BDB11DB54CD81BAD73A4EF20302F4541A8AA49BF285DE34AF45CF91
                        Function 2DE071EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE071F3
                        • memset.MSVCR90 ref: 2DE07206
                          • Part of subcall function 2DE052D6: GetProcAddress.KERNEL32(00000000,00000142), ref: 2DE052F4
                        • GetWindowRect.USER32(?,?), ref: 2DE072E8
                        • PostMessageA.USER32(00000001,00000111,0000891C,00000000), ref: 2DE07357
                        • SetCursor.USER32(?), ref: 2DE07360
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressCursorH_prolog3MessagePostProcRectWindowmemset
                        • String ID: D
                        • API String ID: 308528978-2746444292
                        • Opcode ID: 96d0d382f976984e268bdff0539b49b3f1270286629b71aa9eb46c8836169717
                        • Instruction ID: 634d7ecd115178018482c171c355e894373862168e1187e81785f10fcec3337e
                        • Opcode Fuzzy Hash: 96d0d382f976984e268bdff0539b49b3f1270286629b71aa9eb46c8836169717
                        • Instruction Fuzzy Hash: FD415070A04605DFDB11EFA0C889FAEBBB9FF44706F20451CE65ABB291DB35A905CB11
                        Function 6C8E4DE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 6C8E4E17
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6C8E4E1F
                        • _ValidateLocalCookies.LIBCMT ref: 6C8E4EA8
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6C8E4ED3
                        • _ValidateLocalCookies.LIBCMT ref: 6C8E4F28
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: bd981ace971ecf3a411b894a973b3c030490cefc78a1d0fd5bd573ba25962dd3
                        • Instruction ID: f2eb5d60866becd2814c63a9c687c4881cec84c9212b291cea1272048b927853
                        • Opcode Fuzzy Hash: bd981ace971ecf3a411b894a973b3c030490cefc78a1d0fd5bd573ba25962dd3
                        • Instruction Fuzzy Hash: EF417534A002099FCF20CFADC944ADE7BB5AFCA328F14C969D9189BB51D731D915CB91
                        Function 2DE13EC3 Relevance: 10.6, APIs: 7, Instructions: 112windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15D40: GetFocus.USER32 ref: 2DE15D44
                          • Part of subcall function 2DE15D40: GetParent.USER32(00000000), ref: 2DE15D6C
                          • Part of subcall function 2DE15D40: GetWindowLongA.USER32(?,000000F0), ref: 2DE15D87
                          • Part of subcall function 2DE15D40: GetParent.USER32(?), ref: 2DE15D95
                          • Part of subcall function 2DE15D40: GetDesktopWindow.USER32 ref: 2DE15D99
                          • Part of subcall function 2DE15D40: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 2DE15DAD
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • GetMenu.USER32(?), ref: 2DE13F12
                        • GetMenu.USER32(?), ref: 2DE13F27
                        • GetMenuItemCount.USER32(00000000), ref: 2DE13F30
                        • GetSubMenu.USER32(00000000,00000000), ref: 2DE13F41
                        • GetMenuItemCount.USER32(?), ref: 2DE13F65
                        • GetMenuItemID.USER32(?,?), ref: 2DE13F7F
                        • GetMenuItemID.USER32(?,00000000), ref: 2DE13FA2
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Menu$Item$CountParentWindow$DesktopErrorFocusH_prolog3LastLongMessageSend
                        • String ID:
                        • API String ID: 666752450-0
                        • Opcode ID: 9be9fc55af222156d3f25f59f4677193daa099dbe6c32b64145a41323d57a954
                        • Instruction ID: d26a778a9b28378a9b9412e49421c64afadef5f417993a0c201165685ec7c745
                        • Opcode Fuzzy Hash: 9be9fc55af222156d3f25f59f4677193daa099dbe6c32b64145a41323d57a954
                        • Instruction Fuzzy Hash: 17417971A04208ABCF019F68CC809EEBBB6FF48314F20856AE951F6251DB31DD41DF60
                        Function 2DE15A21 Relevance: 10.6, APIs: 7, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • _msize.MSVCR90 ref: 2DE15A7F
                        • _msize.MSVCR90 ref: 2DE15A99
                        • free.MSVCR90 ref: 2DE15AA1
                        • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCR90 ref: 2DE15AB1
                        • malloc.MSVCR90 ref: 2DE15ABF
                        • malloc.MSVCR90 ref: 2DE15AD2
                        • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCR90 ref: 2DE15ADB
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ?_set_new_handler@@_msizemalloc$ErrorH_prolog3Lastfree
                        • String ID:
                        • API String ID: 3808399026-0
                        • Opcode ID: a9b4a528f875a6e218f063e785ad0623a17c94ad4a478d07bee21cb377004e87
                        • Instruction ID: fcf538b6cc03881a03c65b434e03e0854ad692f342596e42acc1d1a290db2e0b
                        • Opcode Fuzzy Hash: a9b4a528f875a6e218f063e785ad0623a17c94ad4a478d07bee21cb377004e87
                        • Instruction Fuzzy Hash: 84215E71B48B059FEB10ABB5D880B6AB7F8FF00655B21852AD645F3680EF35ED04CB64
                        Function 2DE15F07 Relevance: 10.6, APIs: 7, Instructions: 75stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 2DE15F24
                        • IsWindowUnicode.USER32(?), ref: 2DE15F2D
                        • SetWindowTextW.USER32(?,?), ref: 2DE15F66
                          • Part of subcall function 2DE15CD7: IsWindowUnicode.USER32(?), ref: 2DE15CE0
                          • Part of subcall function 2DE15CD7: GetWindowTextW.USER32(?,00000100,?), ref: 2DE15CF3
                        • lstrcmpW.KERNEL32(?,?,?,?,00000100,?,00000000), ref: 2DE15F5A
                        • lstrcmpA.KERNEL32(?,00000000,?,?,00000100,?,00000001,?,00000000), ref: 2DE15FA1
                        • SetWindowTextA.USER32(?,00000000), ref: 2DE15FAD
                        • free.MSVCR90 ref: 2DE15FB4
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Text$Unicodelstrcmp$freelstrlen
                        • String ID:
                        • API String ID: 1265395221-0
                        • Opcode ID: 786049158eaa192aea86022bd4c83b0f3c1c87c26f6fc3538a559443fe02bcca
                        • Instruction ID: 87922f438859e4ced7c0ebfa7fd4c1cdc410c9255412a9d22884fd765a7b883f
                        • Opcode Fuzzy Hash: 786049158eaa192aea86022bd4c83b0f3c1c87c26f6fc3538a559443fe02bcca
                        • Instruction Fuzzy Hash: 121130B2705108ABDB119AA4CCC4EBFB3BCEB08B45B00456AF642F6241DF38DE44C665
                        Function 6C8F2B5E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,528C51E4,?,6C8F2C6B,?,?,00000000,00000000), ref: 6C8F2C1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3664257935-537541572
                        • Opcode ID: cf3a35656ce2901ec22b742315da6f61fb974a65747785bd2cb9092fb531ba5e
                        • Instruction ID: 688a73315bd12e11e1441e28152e3578675e73c6214d5e0e476294163fc66f2d
                        • Opcode Fuzzy Hash: cf3a35656ce2901ec22b742315da6f61fb974a65747785bd2cb9092fb531ba5e
                        • Instruction Fuzzy Hash: 54213B3170A661F7CB319F69DD58A4B37789B537B4F210A14ED25EB680D734EA02CA90
                        Function 2DE0646A Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 2DE0647F
                        • ScreenToClient.USER32(?,?), ref: 2DE0648C
                        • MoveWindow.USER32(?,?,?,?,00000001,00000000), ref: 2DE064A2
                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 2DE064D5
                        • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 2DE064EA
                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 2DE064F8
                        • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 2DE06508
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$MessageMoveSend$ClientRectRedrawScreen
                        • String ID:
                        • API String ID: 4152145988-0
                        • Opcode ID: 04a9ca4bb46a16451840b574f6294cfb57172a5967cbfa26b447275fba0050d6
                        • Instruction ID: b5ac50140a410b60ad33f8386210b9b37e20caadc3da37fb2d49580a715190a1
                        • Opcode Fuzzy Hash: 04a9ca4bb46a16451840b574f6294cfb57172a5967cbfa26b447275fba0050d6
                        • Instruction Fuzzy Hash: 18114232200654BFDB215FA5CC49F5B7FB9FB48B41F048418F646BA1A0CBB6E510DB54
                        Function 6C8E08DC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(RPCRT4.dll), ref: 6C8E08F4
                        • GetProcAddress.KERNEL32(000000FF,?), ref: 6C8E0974
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: NdrC$RPCRT4.dll$all2$lientC
                        • API String ID: 1646373207-1156160658
                        • Opcode ID: 7e4113a07029494f8ad52ec0521a36e49a0def259925514dd37d70b8cb5c877d
                        • Instruction ID: c91804c25a85e8ea23aa3fc6dc10386cbe4a5fc1bd324d9039a7f068072e85d6
                        • Opcode Fuzzy Hash: 7e4113a07029494f8ad52ec0521a36e49a0def259925514dd37d70b8cb5c877d
                        • Instruction Fuzzy Hash: AE211F75E04258DFDB10DFA4C946BDD7BB8AB4E204F1089AAD51AF6640E7309B48DF21
                        Function 2DE141D3 Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceW.KERNEL32(2DE00000,?,00000005,00000000,?,00000000,?,?,?,2DE14967,?,?,00000000,?,?), ref: 2DE141EC
                        • LoadResource.KERNEL32(2DE00000,00000000,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?), ref: 2DE141FA
                        • LockResource.KERNEL32(00000000,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?,?), ref: 2DE14208
                        • SizeofResource.KERNEL32(2DE00000,00000000,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?), ref: 2DE14217
                        • malloc.MSVCR90 ref: 2DE1422D
                        • memcpy.MSVCR90(00000000,?,00000000,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?), ref: 2DE14240
                        • FreeResource.KERNEL32(?,?,2DE14967,?,?,00000000,?,?,?,2DE07D54,?,?,?,00000000,?,?), ref: 2DE1424B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Resource$FindFreeLoadLockSizeofmallocmemcpy
                        • String ID:
                        • API String ID: 2295636306-0
                        • Opcode ID: 48227763c1cff33241410102a9e0115e82b0c1e9edc6b40d3a9e5449d4db98a2
                        • Instruction ID: f8a201167685b9d33afba2d9e38b5c3827bf90187039fb53aa4c1ea71aba8f6d
                        • Opcode Fuzzy Hash: 48227763c1cff33241410102a9e0115e82b0c1e9edc6b40d3a9e5449d4db98a2
                        • Instruction Fuzzy Hash: 8211FE7660060AABDB015FE5C848BAA7BF8EF49696B104065F905F6300EE75DD40CB74
                        Function 2DE0B7D5 Relevance: 10.5, APIs: 7, Instructions: 41COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE0B7DC
                        • ~_Task_impl.LIBCPMT ref: 2DE0B7F9
                          • Part of subcall function 2DE15440: __EH_prolog3.LIBCMT ref: 2DE15447
                        • ~_Task_impl.LIBCPMT ref: 2DE0B808
                          • Part of subcall function 2DE154BD: __EH_prolog3.LIBCMT ref: 2DE154C4
                        • ~_Task_impl.LIBCPMT ref: 2DE0B817
                        • ~_Task_impl.LIBCPMT ref: 2DE0B826
                        • ~_Task_impl.LIBCPMT ref: 2DE0B835
                          • Part of subcall function 2DE153F3: __EH_prolog3.LIBCMT ref: 2DE153FA
                        • ~_Task_impl.LIBCPMT ref: 2DE0B844
                          • Part of subcall function 2DE04873: ??_V@YAXPAX@Z.MSVCR90(?,?,2DE04B1B), ref: 2DE04883
                          • Part of subcall function 2DE08409: __EH_prolog3.LIBCMT ref: 2DE08410
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Task_impl$H_prolog3
                        • String ID:
                        • API String ID: 1204490572-0
                        • Opcode ID: 42fdf4db1f5d96ef5b0637e4c9123a91e82bf00f202e36c817deb2d8951b791f
                        • Instruction ID: f871b9a218d52c0f83e817faefbdcacda5ea4abe6513e976151fc633c50e5947
                        • Opcode Fuzzy Hash: 42fdf4db1f5d96ef5b0637e4c9123a91e82bf00f202e36c817deb2d8951b791f
                        • Instruction Fuzzy Hash: 58111930509684DAD715EBA4C1557DDBBE0AF35301F95488DCA9A33281DFB86B08D763
                        Function 2DE0D55E Relevance: 10.1, APIs: 8, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: malloc$freememcpy
                        • String ID:
                        • API String ID: 4259248891-0
                        • Opcode ID: 5661ad0a6e5cfc74636c64c71a1a3c6b9fffe8cc6fc472692e95c15f62cccbaa
                        • Instruction ID: d6d4f02f5280555b0b18b1130327dd0fbfa5368a3c4b8e22ba8db3a39bbf7455
                        • Opcode Fuzzy Hash: 5661ad0a6e5cfc74636c64c71a1a3c6b9fffe8cc6fc472692e95c15f62cccbaa
                        • Instruction Fuzzy Hash: B7418DB1600705AFEB14CF69D88096AB7E9FF44259750C82EE95EFB740EA31EA00CB50
                        Function 6C8F5384 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 947473c5617171b67c174788b91eb13c36315589e3d28765aa240787322e1b3b
                        • Instruction ID: cfb473e2bf0c79e87d71682837bb5626e3e1938dfe8f8503324b24d0da3eaa67
                        • Opcode Fuzzy Hash: 947473c5617171b67c174788b91eb13c36315589e3d28765aa240787322e1b3b
                        • Instruction Fuzzy Hash: 53B10770A043499FDB21DF9CC580BAEBBB1BF8A358F208958D5349BB81C7749947CB60
                        Function 6C8E1712 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6C8E175B
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6C8E17C6
                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8E17E3
                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6C8E1822
                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8E1881
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C8E18A4
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiStringWide
                        • String ID:
                        • API String ID: 2829165498-0
                        • Opcode ID: e4031d0e6505bb6944d581e75d5fda48b57a81501535d779767bf10b195240c8
                        • Instruction ID: 47792181d4a082caf1558a40e5a6ec72a26d385c3dec9ba4e50fc43c725e3d79
                        • Opcode Fuzzy Hash: e4031d0e6505bb6944d581e75d5fda48b57a81501535d779767bf10b195240c8
                        • Instruction Fuzzy Hash: CA51917260122AAFEF204F95CD44FEF3BBAEF4A744F214929F924A6551E734D814CB90
                        Function 2DE11AAA Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE11AB1
                        • GetPropA.USER32(?,00000000), ref: 2DE11AC1
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 2DE11B58
                          • Part of subcall function 2DE11492: GetWindowLongA.USER32(?,000000F0), ref: 2DE114A6
                          • Part of subcall function 2DE11492: GetWindowRect.USER32(?,?), ref: 2DE114BA
                          • Part of subcall function 2DE11492: IsWindowEnabled.USER32(?), ref: 2DE114DF
                        • SetWindowLongA.USER32(?,000000FC,?), ref: 2DE11B77
                        • RemovePropA.USER32(?,00000000), ref: 2DE11B86
                          • Part of subcall function 2DE10D23: GetWindowRect.USER32(?,?), ref: 2DE10D2C
                          • Part of subcall function 2DE10D23: GetWindowLongA.USER32(?,000000F0), ref: 2DE10D37
                        • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 2DE11BE3
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Long$CallProcPropRect$EnabledErrorH_prolog3H_prolog3_catchLastRemove
                        • String ID:
                        • API String ID: 1391589453-0
                        • Opcode ID: ffad048c8b34a72d7a6c69f4442e6b2fde040e45d61777dcfabd33ee11cab945
                        • Instruction ID: 96506f3b843138997fd9f60d06af548f1c76365dbfa81683476a650b1af7e867
                        • Opcode Fuzzy Hash: ffad048c8b34a72d7a6c69f4442e6b2fde040e45d61777dcfabd33ee11cab945
                        • Instruction Fuzzy Hash: 94416972A04209EBCF058FA4C944AEE7BB4FF08715F014519FA15BB290DB39DE44DBA1
                        Function 2DE084B0 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_GS.LIBCMT ref: 2DE084B7
                          • Part of subcall function 2DE08374: SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 2DE0837D
                        • GetObjectA.GDI32(?,0000003C,?), ref: 2DE084DA
                        • GetDC.USER32(00000000), ref: 2DE084E2
                          • Part of subcall function 2DE08338: CreateFontIndirectA.GDI32(?), ref: 2DE08341
                          • Part of subcall function 2DE14F4C: SelectObject.GDI32(?,00000000), ref: 2DE14F70
                          • Part of subcall function 2DE14F4C: SelectObject.GDI32(?,00000000), ref: 2DE14F86
                        • GetTextMetricsA.GDI32(?,?), ref: 2DE08528
                        • GetTextMetricsA.GDI32(?), ref: 2DE08555
                        • ReleaseDC.USER32(00000000,?), ref: 2DE0856F
                          • Part of subcall function 2DE14ED4: __EH_prolog3.LIBCMT ref: 2DE14EDB
                          • Part of subcall function 2DE14ED4: DeleteDC.GDI32(00000000), ref: 2DE14EFB
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Object$MetricsSelectText$CreateDeleteFontH_prolog3H_prolog3_IndirectMessageReleaseSend
                        • String ID:
                        • API String ID: 275216013-0
                        • Opcode ID: 6f85af226e3e9eb24055429f268d7bf1b4e6bf0b06176b899814b474779f6fb9
                        • Instruction ID: b30ef81324e946df8c211b8d22f9bc6ecd6266c7dc84ea51ba510d75a7b9a020
                        • Opcode Fuzzy Hash: 6f85af226e3e9eb24055429f268d7bf1b4e6bf0b06176b899814b474779f6fb9
                        • Instruction Fuzzy Hash: F621EA71D042089BDB15EBE0C855BDDB7B9FF64701F528128E126BB2A4DF345E09CB50
                        Function 6C8E52D8 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000001,?,6C8E51E9,6C8E22B5,6C8E1EC9,?,6C8E2101,?,00000001,?,?,00000001,?,6C911EC0,0000000C,6C8E21FA), ref: 6C8E52E6
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C8E52F4
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C8E530D
                        • SetLastError.KERNEL32(00000000,6C8E2101,?,00000001,?,?,00000001,?,6C911EC0,0000000C,6C8E21FA,?,00000001,?), ref: 6C8E535F
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: a7c8b112924b2aa0fa1298826fe7935de4cd47b30cb4e9d4817ca39196be6dcb
                        • Instruction ID: 67f7c79b4e6674462c54849eba8138052d344b259a15c539b8f5fa060a9941da
                        • Opcode Fuzzy Hash: a7c8b112924b2aa0fa1298826fe7935de4cd47b30cb4e9d4817ca39196be6dcb
                        • Instruction Fuzzy Hash: 3B01B53274D71D9E973016BA6E4664A3764EB0F77C734077EE22087DD0EFA14805D990
                        Function 2DE042F4 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCR90 ref: 2DE0430C
                          • Part of subcall function 2DE041B0: SetLastError.KERNEL32(?), ref: 2DE042E5
                        • GetLastError.KERNEL32 ref: 2DE04371
                        • CloseHandle.KERNEL32(?), ref: 2DE0437C
                        • SetLastError.KERNEL32(00000000), ref: 2DE04383
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$CloseHandlememset
                        • String ID: <$print
                        • API String ID: 637397322-3177634819
                        • Opcode ID: 18d370b77e54d34ebe53159cfae541cdeb08ff4bf82062987019277edca8232a
                        • Instruction ID: fcf8abda46fda7240f698b63cce29f223ea9272e953617a6dbfc18840b0ab5e2
                        • Opcode Fuzzy Hash: 18d370b77e54d34ebe53159cfae541cdeb08ff4bf82062987019277edca8232a
                        • Instruction Fuzzy Hash: F2110776900209EFCB01DFA8D985ACEBBF8FF48741F105115FA05F7240EA359A40CB94
                        Function 2DE15D40 Relevance: 9.1, APIs: 6, Instructions: 51windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetFocus.USER32 ref: 2DE15D44
                        • GetParent.USER32(00000000), ref: 2DE15D6C
                          • Part of subcall function 2DE15C0F: GetWindowLongA.USER32(?,000000F0), ref: 2DE15C2E
                          • Part of subcall function 2DE15C0F: GetClassNameA.USER32(?,?,0000000A), ref: 2DE15C43
                          • Part of subcall function 2DE15C0F: lstrcmpiA.KERNEL32(?,combobox), ref: 2DE15C52
                        • GetWindowLongA.USER32(?,000000F0), ref: 2DE15D87
                        • GetParent.USER32(?), ref: 2DE15D95
                        • GetDesktopWindow.USER32 ref: 2DE15D99
                        • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 2DE15DAD
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
                        • String ID:
                        • API String ID: 2818563221-0
                        • Opcode ID: 1a3ad4a00d918fdb247f9d954a4a716af5aff6d572be12d0044c2225596d024f
                        • Instruction ID: a9e3dff40b9d7885f04898d4581539cacfa45017e541848d1718740af7ea2004
                        • Opcode Fuzzy Hash: 1a3ad4a00d918fdb247f9d954a4a716af5aff6d572be12d0044c2225596d024f
                        • Instruction Fuzzy Hash: A901813330129227D7112A65DD8CBBF26FEAB81A55F510129FF06FA280DF69DC419264
                        Function 2DE186E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Office\14.0\Common\FilesPaths,00000000,00020019,?,?,00000000), ref: 2DE18736
                        • RegQueryValueExW.ADVAPI32(?,mso.dll,00000000,00000000,?,00000208,?,00000000), ref: 2DE18757
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 2DE1876B
                        Strings
                        • Software\Microsoft\Office\14.0\Common\FilesPaths, xrefs: 2DE1871A
                        • mso.dll, xrefs: 2DE1874C
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Software\Microsoft\Office\14.0\Common\FilesPaths$mso.dll
                        • API String ID: 3677997916-1420724145
                        • Opcode ID: f60ce6fccb4e41d6652ac2e8efa62d5778fec80625394eea3dd066dfe61d73ae
                        • Instruction ID: 6e084b46f3e811a975964d34db1a303380612177b0176f1329720a750f69ae28
                        • Opcode Fuzzy Hash: f60ce6fccb4e41d6652ac2e8efa62d5778fec80625394eea3dd066dfe61d73ae
                        • Instruction Fuzzy Hash: 2C215B71A4011DAADB10DF64CCC8BEAB7B8EB64345F0046A6A21AF2150DE708E90DBA0
                        Function 6C8E6382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,6C8E6445,6C8E500A,?,?,00000000,?,6C8E64F7,00000002,FlsGetValue,6C906D98), ref: 6C8E6413
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-
                        • API String ID: 3664257935-2084034818
                        • Opcode ID: 42b66682f1f154d58d526ced92cba26035bb1f8cb7ac4320695baef49c50b17c
                        • Instruction ID: 66915d7ac3e53f5cf78192822b41aa98a8abba9ac046521018d9c8873f90907e
                        • Opcode Fuzzy Hash: 42b66682f1f154d58d526ced92cba26035bb1f8cb7ac4320695baef49c50b17c
                        • Instruction Fuzzy Hash: 5C11A731B49629A7DF325A698D4078F33B49F1B778F250A24EA14EB681D760E9008AD1
                        Function 6C8E6E26 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,528C51E4,?,?,00000000,6C903507,000000FF,?,6C8E6DB6,?,?,6C8E6D8A,00000000), ref: 6C8E6E5B
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C8E6E6D
                        • FreeLibrary.KERNEL32(00000000,?,00000000,6C903507,000000FF,?,6C8E6DB6,?,?,6C8E6D8A,00000000), ref: 6C8E6E8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 309bd2f8ecd0f033c3f5e627d8912b0d7481c4dcd0ae5b5dee575592929616d7
                        • Instruction ID: aff7f97e327a09b86bc895ffac06d3a311c58ee15ed13281eb15e099f43961fd
                        • Opcode Fuzzy Hash: 309bd2f8ecd0f033c3f5e627d8912b0d7481c4dcd0ae5b5dee575592929616d7
                        • Instruction Fuzzy Hash: 62018F31B08619EFDB118F50CD05BAE7BB8FB59655F200A2DE921E6A80DB34E900CE40
                        Function 2DE05BEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        • _stricmp.MSVCR90(?,IPM.Conflict.Message), ref: 2DE05C06
                        • _stricmp.MSVCR90(?,IPM.Conflict.Folder), ref: 2DE05C16
                        • _stricmp.MSVCR90(?,?), ref: 2DE05C2A
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: _stricmp
                        • String ID: IPM.Conflict.Folder$IPM.Conflict.Message
                        • API String ID: 2884411883-576266925
                        • Opcode ID: 564cbe624c09ca8c227525b9305e26052e260498469267e899f1e8d5fbd803a5
                        • Instruction ID: c97715b8df6266089f91de3113929b6bae2433a7a4c94a12d4d54910a65067c8
                        • Opcode Fuzzy Hash: 564cbe624c09ca8c227525b9305e26052e260498469267e899f1e8d5fbd803a5
                        • Instruction Fuzzy Hash: E4F0123361421E6EDB059E54EC41AA537D4DB052B3F108036FA04FA0A1DF31E520DB94
                        Function 2DE0D31D Relevance: 7.6, APIs: 6, Instructions: 146stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: freemalloc$ByteCharMultiWidelstrlen
                        • String ID:
                        • API String ID: 4100972401-0
                        • Opcode ID: 102c381f2fc540e0f038b68253f69bba324e2bed05107579eaea646f6cd13b81
                        • Instruction ID: 26a3426ecc2a8f34f61077ba64bc92ea1fb9ce682320a2d090f25e135ba90bad
                        • Opcode Fuzzy Hash: 102c381f2fc540e0f038b68253f69bba324e2bed05107579eaea646f6cd13b81
                        • Instruction Fuzzy Hash: 0941BF71500205EFCB16CF64CC84AAE7BB9FF84752F20465AF552F6281EB76E950CB60
                        Function 2DE08126 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE0812D
                          • Part of subcall function 2DE06995: LoadCursorA.USER32(00000000,?), ref: 2DE069A0
                          • Part of subcall function 2DE06995: SetCursor.USER32(00000000), ref: 2DE069A7
                        • MessageBoxW.USER32(00000005,?,?,00000134), ref: 2DE0820B
                        • GetWindowRect.USER32(00000003,?), ref: 2DE08260
                        • PostMessageA.USER32(00000003,00000111,0000891C,00000000), ref: 2DE082BA
                        • SetCursor.USER32(?), ref: 2DE082F2
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Cursor$Message$H_prolog3_catchLoadPostRectWindow
                        • String ID:
                        • API String ID: 4269587068-0
                        • Opcode ID: eede814cac093db274cd42a96288956f70f4508ceef63e869826cbc2612dfb86
                        • Instruction ID: edbaf0299842b7f1dcc832f9f4eff0489452ccf26f7a0b469851212eb6380468
                        • Opcode Fuzzy Hash: eede814cac093db274cd42a96288956f70f4508ceef63e869826cbc2612dfb86
                        • Instruction Fuzzy Hash: 69518D70904649EFDB01EBE0C989BAEBBB5FF14305F50445CE25AB7291DF74AA05CB21
                        Function 2DE06E33 Relevance: 7.6, APIs: 5, Instructions: 85windowCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE06E3A
                          • Part of subcall function 2DE06995: LoadCursorA.USER32(00000000,?), ref: 2DE069A0
                          • Part of subcall function 2DE06995: SetCursor.USER32(00000000), ref: 2DE069A7
                        • SetCursor.USER32(?), ref: 2DE06E9B
                        • SetCursor.USER32(?), ref: 2DE06EC4
                        • GetWindowRect.USER32(?,?), ref: 2DE06ED5
                        • PostMessageA.USER32(?,00000111,0000891C,00000000), ref: 2DE06F25
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Cursor$H_prolog3LoadMessagePostRectWindow
                        • String ID:
                        • API String ID: 4037273543-0
                        • Opcode ID: 156ed51494b0159286956f793ebb0e94bf0f997a6d6818c495b087d76b2e3195
                        • Instruction ID: 86eb4a21c072395de83c148fb0e06717df5be47f85e98d512a6da6a8f2c24c40
                        • Opcode Fuzzy Hash: 156ed51494b0159286956f793ebb0e94bf0f997a6d6818c495b087d76b2e3195
                        • Instruction Fuzzy Hash: 82317C70604645EFCB019FA0C988AAEBBF5FF58706F01445CE256BB2A1DF75AA05CB11
                        Function 2DE08A57 Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE08A5E
                        • ??_U@YAPAXI@Z.MSVCR90(00001000), ref: 2DE08ACD
                          • Part of subcall function 2DE13812: Mailbox.LIBCMT ref: 2DE159AE
                        • WriteFile.KERNEL32(000000FF,?,?,2DE0224C,00000000), ref: 2DE08B01
                        • CloseHandle.KERNEL32(000000FF), ref: 2DE08B2F
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE08B3C
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CloseFileH_prolog3_catchHandleMailboxWrite
                        • String ID:
                        • API String ID: 1130278343-0
                        • Opcode ID: 065bb4f6139d51091db4575a76bd8ca3d7e67ee927b7c07f13cce97f0ccf0df5
                        • Instruction ID: 8334981f4ead742b9e58342f37ae7b1a3e668adbd2ec2c5f321c2e3d955baca1
                        • Opcode Fuzzy Hash: 065bb4f6139d51091db4575a76bd8ca3d7e67ee927b7c07f13cce97f0ccf0df5
                        • Instruction Fuzzy Hash: 163169B5900109EFDF05AFA4CC85EAEBBB8FF18765F108119F625B6290CB358E00CB60
                        Function 2DE0D4A0 Relevance: 7.6, APIs: 6, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 3a960de938612066f142219ca59dfcf8434106141cde5a3ec68a2566a8e3164c
                        • Instruction ID: b1fedd88a8861667a14835a3b2191d6bc744d4d315d07332eda2730f4a389a20
                        • Opcode Fuzzy Hash: 3a960de938612066f142219ca59dfcf8434106141cde5a3ec68a2566a8e3164c
                        • Instruction Fuzzy Hash: 23218372A00109EFDF058F54D880A6DBBB5FF4036AF208066ED04BA651DF72E990DB90
                        Function 2DE04391 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 76COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(00000000), ref: 2DE0444B
                          • Part of subcall function 2DE042F4: memset.MSVCR90 ref: 2DE0430C
                        • GetLastError.KERNEL32 ref: 2DE0441B
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast$memset
                        • String ID: k2ub$l2ub$m2ub
                        • API String ID: 4054172246-710509214
                        • Opcode ID: 168d225024a1194765b8a9f4d278713f5513f8ca819256893d0824a40027fd85
                        • Instruction ID: 32d4356d281ed8dcb7d7dc82b16cd82833e8e83e67c045396158fe5e85a35737
                        • Opcode Fuzzy Hash: 168d225024a1194765b8a9f4d278713f5513f8ca819256893d0824a40027fd85
                        • Instruction Fuzzy Hash: 2A212F7290051CFBCB02AFA5CE44EDEBBB9EFA4652F128061F611B7120DB758E52DB50
                        Function 2DE12319 Relevance: 7.6, APIs: 5, Instructions: 55threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • CallNextHookEx.USER32(?,?,?,?), ref: 2DE12336
                        • CallNextHookEx.USER32(?,00000003,?,?), ref: 2DE1237D
                        • UnhookWindowsHookEx.USER32(?), ref: 2DE12388
                        • GetCurrentThreadId.KERNEL32 ref: 2DE1239D
                        • SetWindowsHookExA.USER32(00000004,Function_00011CD5,00000000,00000000), ref: 2DE123AD
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Hook$CallNextWindows$CurrentErrorH_prolog3LastThreadUnhook
                        • String ID:
                        • API String ID: 2915796353-0
                        • Opcode ID: 35c89ffeb11118563167a88b60114744a4bbe5544c6afa1e357258ae295a485a
                        • Instruction ID: c28a60bc6b8884df7cd784d2ba1559001dc12b6a8d6cd3893b405f497c109756
                        • Opcode Fuzzy Hash: 35c89ffeb11118563167a88b60114744a4bbe5544c6afa1e357258ae295a485a
                        • Instruction Fuzzy Hash: 6D116A72200306EFDB128F60CD89B5A7BB4FF08756F009428FA47AA661CB75E950CF14
                        Function 2DE12A2D Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: EnableFocus$ItemMenuParentWindow
                        • String ID:
                        • API String ID: 783553715-0
                        • Opcode ID: 9f8541068dd6dc94525ba4672cc3b61b7697c0c0e761181a845f1e7ddec6c45b
                        • Instruction ID: 88973a2d0e5b55169448c28d145a71a65d5d1818f7eed4389f02d1b716188759
                        • Opcode Fuzzy Hash: 9f8541068dd6dc94525ba4672cc3b61b7697c0c0e761181a845f1e7ddec6c45b
                        • Instruction Fuzzy Hash: 1D018E31200A00AFCB255F60CD0AB59BBF8FF00751F018629F606B66A0CB75E894CB94
                        Function 2DE0510C Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassObjectRevokefree$FreeLibrary
                        • String ID:
                        • API String ID: 850073815-0
                        • Opcode ID: 7e6b68fcfdf87aecec1eb33ad95c1fedb728d29ff7b08cbed3d06c4ece7a0601
                        • Instruction ID: e10b1629123d77f3fbe548045d75b7d453761553dcd82b06fb345d40e292ef08
                        • Opcode Fuzzy Hash: 7e6b68fcfdf87aecec1eb33ad95c1fedb728d29ff7b08cbed3d06c4ece7a0601
                        • Instruction Fuzzy Hash: 440156772107029BE7019B24C840BA2B3F9FF44716F610419E516F7290EFB9E820CFA4
                        Function 2DE15C6C Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Text$Unicodefreemalloc
                        • String ID:
                        • API String ID: 1936483696-0
                        • Opcode ID: f43f1784aa5fde6112ff4cb00560f6a6fe0d05d3d38744361f640d88e9ac19f3
                        • Instruction ID: 6e5b87129a65b528b8e9c7a55a91cad700c91ad396529bc23994327376e3a3a8
                        • Opcode Fuzzy Hash: f43f1784aa5fde6112ff4cb00560f6a6fe0d05d3d38744361f640d88e9ac19f3
                        • Instruction Fuzzy Hash: AEF04F36605219BB8B120EA18C48E9B7F79FF45B657008115F905AA210DA36D911DAA4
                        Function 2DE15CD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Text$Unicodefreemalloc
                        • String ID:
                        • API String ID: 1936483696-0
                        • Opcode ID: 23b2954ff4199587148b1173ab37ec70c897069216bfba93d2a17cc605535660
                        • Instruction ID: d7483974c5e49b9004eec7edfc8ef93c524ba96cb70139aa195c049263fa7e0a
                        • Opcode Fuzzy Hash: 23b2954ff4199587148b1173ab37ec70c897069216bfba93d2a17cc605535660
                        • Instruction Fuzzy Hash: 08F01236604249BFCF011FA5DC48E9B3FB9EB497A57008429F916E6210DB36C911DB64
                        Function 2DE04896 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                        Download Yara Rule
                        APIs
                        • ??_V@YAXPAX@Z.MSVCR90(?), ref: 2DE049C3
                          • Part of subcall function 2DE0F52B: malloc.MSVCR90 ref: 2DE0F531
                        • memmove.MSVCR90(?,?,?), ref: 2DE04991
                        • memmove.MSVCR90(?,8007000E,?), ref: 2DE049A6
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: memmove$malloc
                        • String ID: jsr9
                        • API String ID: 3263852767-1633979662
                        • Opcode ID: a3486c3d2975eaa75eb20887dc8753533e0c63cf0bf5078e67d4f5d0abe642be
                        • Instruction ID: 6e192201dfb37d2482f8a0568231fc8ff6e71942eca15cd59e15a66f7f9b6c00
                        • Opcode Fuzzy Hash: a3486c3d2975eaa75eb20887dc8753533e0c63cf0bf5078e67d4f5d0abe642be
                        • Instruction Fuzzy Hash: 58419F71A00605EBCB11CF59CA8095EBBF9FF90355B61C92EE59AFB610DB70EA41CB40
                        Function 2DE14385 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE1438C
                        • GetWindowLongA.USER32(?,000000F0), ref: 2DE143BB
                        • GetParent.USER32(?), ref: 2DE143CB
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3_catchLongParentWindow
                        • String ID: 0
                        • API String ID: 944585138-4108050209
                        • Opcode ID: 6b51049e77c5a2b1e6da7dd6e4f6b296ee358181ea833fd8f6afe21c6304d70a
                        • Instruction ID: e9e01260f8d2c0dd0c0dad1adbd453b757f0624aea5a49ffb55767f54dd5c776
                        • Opcode Fuzzy Hash: 6b51049e77c5a2b1e6da7dd6e4f6b296ee358181ea833fd8f6afe21c6304d70a
                        • Instruction Fuzzy Hash: A3214271A0420ADBCF02EFA0C580B9E7BB0BF14314F218159EA16BB290DB75EE45CB91
                        Function 2DE04B08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE04873: ??_V@YAXPAX@Z.MSVCR90(?,?,2DE04B1B), ref: 2DE04883
                        • GetACP.KERNEL32 ref: 2DE04B25
                        • WideCharToMultiByte.KERNEL32(?,?,?,000000FF,00000000,00000000,00000000,00000000), ref: 2DE04B44
                        • WideCharToMultiByte.KERNEL32(?,?,?,000000FF,?,00000001,00000000,00000000), ref: 2DE04B8A
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide
                        • String ID: dk29
                        • API String ID: 626452242-1677150192
                        • Opcode ID: 11c2cbd667b4cf0c70a0a35ab4e3ba7df2591af1eaef450e96d98d3f3a7229af
                        • Instruction ID: 3b3a2af78c5c2a758df7fdcd4d5bab2e279977188fe99c955053a26d8ca23841
                        • Opcode Fuzzy Hash: 11c2cbd667b4cf0c70a0a35ab4e3ba7df2591af1eaef450e96d98d3f3a7229af
                        • Instruction Fuzzy Hash: B3113A72904118BBCF119F96CD44DDF7FBDEF85765B10825AF924B6160DA318A00DF60
                        Function 2DE0FFF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3_catch.LIBCMT ref: 2DE10000
                        • GetModuleHandleW.KERNEL32(mso.dll,0000001C,2DE100FB,00000000,?,?,00000000,00000000,?,?,2DE0FD52,?,00000000,?,?,?), ref: 2DE10075
                          • Part of subcall function 2DE04CF2: LoadStringW.USER32(?,?,?,00000100), ref: 2DE04D3C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3_catchHandleLoadModuleString
                        • String ID: mso.dll
                        • API String ID: 2579502969-1671880577
                        • Opcode ID: 5436407f10b8e63190d7fc7ff4490c1d8da8ace9c57a40dc70de2d196e56ba3f
                        • Instruction ID: 889d5d27780fe0916f7260d7ff1ceb7c582232b4988a3270ad43a65f9f92a5c6
                        • Opcode Fuzzy Hash: 5436407f10b8e63190d7fc7ff4490c1d8da8ace9c57a40dc70de2d196e56ba3f
                        • Instruction Fuzzy Hash: 2111AC32A04149EACB01DFA0C905BDE3BB0EF24761F268114F961B7290CF38DE10DBA1
                        Function 2DE08ED9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 2DE08EEB
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 2DE08EF9
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Time$System$File
                        • String ID: @$@
                        • API String ID: 2838179519-149943524
                        • Opcode ID: 6cf0c7d42f7a0f5d63c12c7d778d2b5ed957bf44b43d72727b4d61d67ed7a8d8
                        • Instruction ID: 69efd7ca8a87e14b0ed6d0119b97ff52ca28bed46dc92cc84d8642b9caf7b633
                        • Opcode Fuzzy Hash: 6cf0c7d42f7a0f5d63c12c7d778d2b5ed957bf44b43d72727b4d61d67ed7a8d8
                        • Instruction Fuzzy Hash: 7911E271A11229ABDB00DFA4C889FDEBBB8FF08651F004459FA55F7240DB74E900CBA4
                        Function 2DE05264 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconA.USER32(00000000,00007F00), ref: 2DE0529A
                        • LoadCursorA.USER32(00000000,00007F00), ref: 2DE052A5
                        • GetStockObject.GDI32(00000000), ref: 2DE052AF
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Load$CursorIconObjectStock
                        • String ID: Cnfnot_ClassFactory
                        • API String ID: 3711576554-2905417136
                        • Opcode ID: 12298d52779bf7885af703f20a8aa1c4a096525a430f2ac7f231a9465213ffe2
                        • Instruction ID: 4b6ea87d5abe8fa19cea1f4ba34deefdda2b006f51061f19b668fb8050268535
                        • Opcode Fuzzy Hash: 12298d52779bf7885af703f20a8aa1c4a096525a430f2ac7f231a9465213ffe2
                        • Instruction Fuzzy Hash: FF011A72C05218AFCB059FEA88846EEFAFCEF59612B10416BD501F7214D6788500CFA4
                        Function 2DE15C0F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongA.USER32(?,000000F0), ref: 2DE15C2E
                        • GetClassNameA.USER32(?,?,0000000A), ref: 2DE15C43
                        • lstrcmpiA.KERNEL32(?,combobox), ref: 2DE15C52
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassLongNameWindowlstrcmpi
                        • String ID: combobox
                        • API String ID: 2054663530-2240613097
                        • Opcode ID: 24e7308367cef179a738491327c7cdfbe4fbd040d14787d67a9d9650722ba2b1
                        • Instruction ID: 5eab60a80366cd03ed63695aa5b60ebd6a6c005035ddc7147f26fb50dec9e2f0
                        • Opcode Fuzzy Hash: 24e7308367cef179a738491327c7cdfbe4fbd040d14787d67a9d9650722ba2b1
                        • Instruction Fuzzy Hash: 48F09032A15129ABCB01EFA4CC45FBE73F8EB09A52B404915F413FB180DB38EA05C799
                        Function 6C8F389F Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleOutputCP.KERNEL32(528C51E4,00000000,00000000,?), ref: 6C8F3902
                          • Part of subcall function 6C8F9E65: WideCharToMultiByte.KERNEL32(00000000,00000000,6C8E66A1,?,6C8E6732,00000016,6C8EEE89,0000FDE9,?,?,00000008,?,00000003,6C912580,00000024,6C8EEE89), ref: 6C8F9F11
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C8F3B5D
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C8F3BA5
                        • GetLastError.KERNEL32 ref: 6C8F3C48
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: 6af723fb12bf04ad4f7bb67a8875f4b4564badd2dc5a33cde84b03704c64abe1
                        • Instruction ID: ef43057a3b87706c37102e9e60860871ad562f3aacb5c6e56d3862140c8a6542
                        • Opcode Fuzzy Hash: 6af723fb12bf04ad4f7bb67a8875f4b4564badd2dc5a33cde84b03704c64abe1
                        • Instruction Fuzzy Hash: DCD18AB5E04258AFCF21CFA8C9809EDBBB4FF49354F24492AE865E7741D730A942CB51
                        Function 2DE05DB3 Relevance: 6.3, APIs: 4, Instructions: 295COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: H_prolog3_catch_
                        • String ID:
                        • API String ID: 1329019490-0
                        • Opcode ID: 7360c6e30741ed6b5eb31e508070f5b12bd1e179eac239ab21476f343b717299
                        • Instruction ID: 7f42ca27ae2b62e7484bff029b029217e6590823b0b58a4b13a545285ab1e62b
                        • Opcode Fuzzy Hash: 7360c6e30741ed6b5eb31e508070f5b12bd1e179eac239ab21476f343b717299
                        • Instruction Fuzzy Hash: BAC18B709082A89BDB65DBA4CD88BADB7B1EF24305F2141D8E259771A1DF349F84CF21
                        Function 6C8E53EF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 9257d1621bb0751cd862e4fd31310406f2f9a989b7c9923925f4bfc74e253ae0
                        • Instruction ID: b7ed8f2dff8231e7340c0c7a5bb5db15518345f6df8ab9ac9cc4e2fd957ab8c3
                        • Opcode Fuzzy Hash: 9257d1621bb0751cd862e4fd31310406f2f9a989b7c9923925f4bfc74e253ae0
                        • Instruction Fuzzy Hash: E751D1B2606706AFDB358F98CA40BAA77B5EF4F319F200D2DD91647A90D731E841CB50
                        Function 6C8F6ABA Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7303fbe36ea327d128f4b038bfbf65970523db64ddd13426118725476800c869
                        • Instruction ID: 1d9b75dfb460a5b1850d5d3118d5f5de169ca54a9e0f37300efd4fcc73a437a6
                        • Opcode Fuzzy Hash: 7303fbe36ea327d128f4b038bfbf65970523db64ddd13426118725476800c869
                        • Instruction Fuzzy Hash: 9641F471A00608BFD7249F78CA45B9EBBA9FB89754F104A39E121DBB80D771E5068790
                        Function 6C8FA0B1 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F9E65: WideCharToMultiByte.KERNEL32(00000000,00000000,6C8E66A1,?,6C8E6732,00000016,6C8EEE89,0000FDE9,?,?,00000008,?,00000003,6C912580,00000024,6C8EEE89), ref: 6C8F9F11
                        • GetLastError.KERNEL32 ref: 6C8FA115
                        • __dosmaperr.LIBCMT ref: 6C8FA11C
                        • GetLastError.KERNEL32(?,?,?,?), ref: 6C8FA156
                        • __dosmaperr.LIBCMT ref: 6C8FA15D
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                        • String ID:
                        • API String ID: 1913693674-0
                        • Opcode ID: 8336a423ae6d250c2e2008bb35c6ae4307023f1527a4567751b9252e783df40d
                        • Instruction ID: 099595fa6fc7ef70c72ebba3d15c414ccfc57b7c4b43183826d0354d89dbf63d
                        • Opcode Fuzzy Hash: 8336a423ae6d250c2e2008bb35c6ae4307023f1527a4567751b9252e783df40d
                        • Instruction Fuzzy Hash: 7321CB31604209AFD7309F6ACA808DB77B9FF453B87054D29E935D7A40D731EC428790
                        Function 2DE12240 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadResource.KERNEL32(2DE00000,00000000,2DE00000,?,000000F0), ref: 2DE1227A
                        • LockResource.KERNEL32(00000000), ref: 2DE12288
                        • SendDlgItemMessageA.USER32(00000001,?,?,00000000,00000000), ref: 2DE122D8
                        • FreeResource.KERNEL32(?), ref: 2DE122F0
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Resource$FreeItemLoadLockMessageSend
                        • String ID:
                        • API String ID: 3233515012-0
                        • Opcode ID: 54da911226e47677987d5c6859ecad6d1b87d98b962e3868688c034d0c492007
                        • Instruction ID: f0192012aa7517954cac57fad6016d4dd89499323d05f548ad05468c3b23549f
                        • Opcode Fuzzy Hash: 54da911226e47677987d5c6859ecad6d1b87d98b962e3868688c034d0c492007
                        • Instruction Fuzzy Hash: 46217172600114BFDB119F98CC85ABE77ECEB05355B90C026FA86F7240DA75DE41EBA4
                        Function 6C8EEED9 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e4b36e52201d0b8c762c638dd5f5c9d25d0eb0067c5259e48fa6c9cc3d15aac
                        • Instruction ID: c00cf421491467611821c28f5d632ec0774aab896f9fa64188704cb55fd0d2bd
                        • Opcode Fuzzy Hash: 3e4b36e52201d0b8c762c638dd5f5c9d25d0eb0067c5259e48fa6c9cc3d15aac
                        • Instruction Fuzzy Hash: 40218431608209BFDB309FA9DE8089A7B69FF4B3687054D64F958D7A50D731EC5487E0
                        Function 6C8FB060 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 6C8FB068
                          • Part of subcall function 6C8F9E65: WideCharToMultiByte.KERNEL32(00000000,00000000,6C8E66A1,?,6C8E6732,00000016,6C8EEE89,0000FDE9,?,?,00000008,?,00000003,6C912580,00000024,6C8EEE89), ref: 6C8F9F11
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C8FB0A0
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C8FB0C0
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                        • String ID:
                        • API String ID: 158306478-0
                        • Opcode ID: ffc728a8d37d0827cd62f510431c1ee325fd69ad62d924f53835d4eb06e6b99a
                        • Instruction ID: cd0bcbd076bdd10e91cbfac5ad5e9f6a6c5a22cd161111c232e4b91c7296aae2
                        • Opcode Fuzzy Hash: ffc728a8d37d0827cd62f510431c1ee325fd69ad62d924f53835d4eb06e6b99a
                        • Instruction Fuzzy Hash: 261182A1709519FFA73116BA9E88CBF697DDF861D83100939F42191600EF649D0646B9
                        Function 2DE04B96 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE04873: ??_V@YAXPAX@Z.MSVCR90(?,?,2DE04B1B), ref: 2DE04883
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 2DE04BF9
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 2DE04C39
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide
                        • String ID: ek29$pq8e
                        • API String ID: 626452242-1107266725
                        • Opcode ID: ce4bb88f205e0af481b9bfe892d5e043abb8357571322b4b005d7a6b3fe14bf0
                        • Instruction ID: be86faf887ee6353c6523344bb696ce9baeb0910394add7470d99ebaf3857a78
                        • Opcode Fuzzy Hash: ce4bb88f205e0af481b9bfe892d5e043abb8357571322b4b005d7a6b3fe14bf0
                        • Instruction Fuzzy Hash: F511AFB2904118BFDF01AF95CDC0CAE7FBDFF052A6B208126F619B2150EA318E51DB60
                        Function 2DE04F8C Relevance: 6.1, APIs: 4, Instructions: 66timeCOMMON
                        Download Yara Rule
                        APIs
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 2DE04FAA
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 2DE04FB8
                        • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,?), ref: 2DE04FD0
                        • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,?), ref: 2DE05018
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Time$File$Format$DateLocalSystem
                        • String ID:
                        • API String ID: 4010208002-0
                        • Opcode ID: 55d76e91ffc06cb61a2d4dba41318085536051da4817d29b16013b24dcfb9706
                        • Instruction ID: f38912fda9bd5f074ee0737b4064089315bde1cc702859d34c9f6b714a09bcab
                        • Opcode Fuzzy Hash: 55d76e91ffc06cb61a2d4dba41318085536051da4817d29b16013b24dcfb9706
                        • Instruction Fuzzy Hash: 511160776102096BDB10CBA4CD45FEB77BDEF49B0AF018021EA06F7281DA709941C7E0
                        Function 2DE1199D Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowEnabled.USER32(00000000), ref: 2DE119AD
                        • EnableWindow.USER32(00000000,00000001), ref: 2DE119DA
                          • Part of subcall function 2DE13955: IsWindow.USER32(?), ref: 2DE1397E
                          • Part of subcall function 2DE13955: EnableWindow.USER32(?,00000001), ref: 2DE13990
                          • Part of subcall function 2DE13955: ??_V@YAXPAX@Z.MSVCR90(?,00000000,00000000,?,2DE119D5,?,?,?,2DE11DC9,?,?,00000034,2DE07728,?,?,?), ref: 2DE139A8
                        • GetWindowLongA.USER32(00000000,000000F0), ref: 2DE119E5
                        • SendMessageA.USER32(?,0000036E,?,?), ref: 2DE11A2A
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Enable$EnabledLongMessageSend
                        • String ID:
                        • API String ID: 2621221260-0
                        • Opcode ID: bb32262985773ac4c274de814cd8d7655f76918331de0e9f2c0d111f52b75e43
                        • Instruction ID: ed0aa6e6f5bd644c96fbd842ebb37869c49961a97d3258602a31e6ba4ec09716
                        • Opcode Fuzzy Hash: bb32262985773ac4c274de814cd8d7655f76918331de0e9f2c0d111f52b75e43
                        • Instruction Fuzzy Hash: CB11E131714A05AFDF124F64C845BAE7AF5EB40A95F10812AE22AFA250EF32DD40CB00
                        Function 2DE11920 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetTopWindow.USER32(?), ref: 2DE1192E
                        • GetTopWindow.USER32(00000000), ref: 2DE1196D
                        • GetWindow.USER32(00000000,00000002), ref: 2DE1198B
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window
                        • String ID:
                        • API String ID: 2353593579-0
                        • Opcode ID: b729a9e4a16570d845ed4569ce66a9d6bb9f616785952e555f7525a1062118bb
                        • Instruction ID: fec8727d7d8e7ba6ea117a30a31bb2514799f35f5b82e6184f2dab452ec24182
                        • Opcode Fuzzy Hash: b729a9e4a16570d845ed4569ce66a9d6bb9f616785952e555f7525a1062118bb
                        • Instruction Fuzzy Hash: 6801E53620411ABBCF135F909C04F9E3B6AFF183D1F018010FA29B5160CB36CA61EBA5
                        Function 2DE1137C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceW.KERNEL32(2DE00000,?,00000005,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113A3
                        • LoadResource.KERNEL32(2DE00000,00000000,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113AF
                        • LockResource.KERNEL32(?,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113C0
                        • FreeResource.KERNEL32(?,?,?,?,2DE11500,2DE1E6DC), ref: 2DE113DF
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Resource$FindFreeLoadLock
                        • String ID:
                        • API String ID: 1078018258-0
                        • Opcode ID: a8efbe4908ec1c30af3138e6126bc090e3f7a193e84cd5ac370c438b2d57004a
                        • Instruction ID: a83c390b76d7d32bf5f5ba7546a353102d56c1239423eb3a03057b618e331e4a
                        • Opcode Fuzzy Hash: a8efbe4908ec1c30af3138e6126bc090e3f7a193e84cd5ac370c438b2d57004a
                        • Instruction Fuzzy Hash: 10012633305D509FC7032BA288C8A7A33F8AF4561E703416DEA42FB605EB76CD428794
                        Function 2DE111CF Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(000088C4,?), ref: 2DE111DA
                        • GetTopWindow.USER32(00000000), ref: 2DE111ED
                          • Part of subcall function 2DE111CF: GetWindow.USER32(00000000,00000002), ref: 2DE11234
                        • GetTopWindow.USER32(000088C4), ref: 2DE1121D
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Item
                        • String ID:
                        • API String ID: 369458955-0
                        • Opcode ID: 0ed834fd8d47b5b5f2f938f65daeef79185cd43fddb9785e295095d7fe1ff936
                        • Instruction ID: 78caea8ff3a2c42641585fb84a70031ac7c1f5089cf3231b375ab8e39500d269
                        • Opcode Fuzzy Hash: 0ed834fd8d47b5b5f2f938f65daeef79185cd43fddb9785e295095d7fe1ff936
                        • Instruction Fuzzy Hash: 60014B36305626A7CB132E618C00F9E3AA9AF157D5F018020FE04F5111EF35DE51E6E9
                        Function 2DE11A35 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • GetLastActivePopup.USER32(?), ref: 2DE11A66
                        • GetForegroundWindow.USER32(00000000,?,?,2DE11DE0,?,?,00000034,2DE07728,?,?,?), ref: 2DE11A78
                        • IsWindowEnabled.USER32(?), ref: 2DE11A8B
                        • SetForegroundWindow.USER32(?), ref: 2DE11A98
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Foreground$ActiveEnabledLastPopup
                        • String ID:
                        • API String ID: 3209796547-0
                        • Opcode ID: fec151bf59149b915f30028da6df567905d8e51527dcf3a3a4c1db77088edd60
                        • Instruction ID: 4237eff81fc594085150e6e58ff0ff235704687a9804344f421f4b2d54d88b24
                        • Opcode Fuzzy Hash: fec151bf59149b915f30028da6df567905d8e51527dcf3a3a4c1db77088edd60
                        • Instruction Fuzzy Hash: 3CF0A432B09B01EFDF115B60E80866A7BE8AF00756B01C124E625F4050CFB9CD48CB90
                        Function 2DE1416D Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: DeleteObject$H_prolog3
                        • String ID:
                        • API String ID: 2471701793-0
                        • Opcode ID: 5755b9e2f4bf303a9d8c68cd99a4ca2b5906f1947a79675eecd3f6a190e20cb5
                        • Instruction ID: 38ace634ff8e6bf6bb9e00150678546841b3af3d9f301dc73749b2e9d0ecd5db
                        • Opcode Fuzzy Hash: 5755b9e2f4bf303a9d8c68cd99a4ca2b5906f1947a79675eecd3f6a190e20cb5
                        • Instruction Fuzzy Hash: B6F03C71B00710CBCB10EFA9888051EF6F5BF68614B610A2DE29AF7750CF70ED408A45
                        Function 2DE15923 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE1592A
                        • GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • TlsGetValue.KERNEL32(0000000D,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15955
                        • SetLastError.KERNEL32(00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15984
                          • Part of subcall function 2DE15E13: TlsAlloc.KERNEL32(00000000,?,2DE15946,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15E1B
                          • Part of subcall function 2DE15E13: GetVersion.KERNEL32(?,2DE15946,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15E1F
                          • Part of subcall function 2DE15E13: TlsAlloc.KERNEL32(?,2DE15946,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE15E32
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AllocErrorLast$H_prolog3ValueVersion
                        • String ID:
                        • API String ID: 2925315393-0
                        • Opcode ID: 313e1bb0cc4c6370f46f50a6be960fbc810c3b6ece0fc85aff8293679f3325a7
                        • Instruction ID: f5c9f16dda4a944d973ccb3fadc4225e0d58409ec143351d6e5ce2369c46e43b
                        • Opcode Fuzzy Hash: 313e1bb0cc4c6370f46f50a6be960fbc810c3b6ece0fc85aff8293679f3325a7
                        • Instruction Fuzzy Hash: 93F03072B142118FC745ABB88845B7D26F0AB18F75B510715EA3AFB3C0DF68CE409A56
                        Function 2DE0845B Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(0000000F), ref: 2DE08462
                        • SendMessageA.USER32(?,00000443,00000000,00000000), ref: 2DE0847F
                        • SendMessageA.USER32(?,0000043B,00000000,00000000), ref: 2DE0848B
                        • SendMessageA.USER32(?,00000445,00000000,00000000), ref: 2DE084A8
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: MessageSend$Color
                        • String ID:
                        • API String ID: 3922397608-0
                        • Opcode ID: e1f3708014c83522ad4db5db84b6bfd067d8a4279d37c00a3d55301fab7e63e7
                        • Instruction ID: 412843cd4cedd6ee6d8f9951360010306d7e914bd1480d890d6077efd6b5ec9f
                        • Opcode Fuzzy Hash: e1f3708014c83522ad4db5db84b6bfd067d8a4279d37c00a3d55301fab7e63e7
                        • Instruction Fuzzy Hash: ADF0A771500558B6DA215F12CC08F6B3E6CEBC5FA3F00803AB72879050C6714541CAA5
                        Function 2DE109DE Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • IsWindowUnicode.USER32(?), ref: 2DE109F9
                        • DefWindowProcW.USER32(?,?,?,?), ref: 2DE10A0F
                        • DefWindowProcA.USER32(?,?,?,?), ref: 2DE10A17
                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 2DE10A2C
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Window$Proc$CallUnicode
                        • String ID:
                        • API String ID: 3117573011-0
                        • Opcode ID: 6712436b275561412faa981374861e3c3c1730d9292a5f24fae0e1f0567602e9
                        • Instruction ID: 5ebc51056c884d8a66915a40fdacbe896c621bd537ce56ead9cfa337ac5e82ae
                        • Opcode Fuzzy Hash: 6712436b275561412faa981374861e3c3c1730d9292a5f24fae0e1f0567602e9
                        • Instruction Fuzzy Hash: 06F0BD36200609EFDF129FA5C808E9A7FB9FF087917108418FA56FA521DB36DD24EB54
                        Function 2DE158AB Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE158B2
                        • free.MSVCR90 ref: 2DE158CB
                        • TlsGetValue.KERNEL32(00000004,2DE12DCD,?,?,2DE159B3,00000001,2DE1263C,?,?,?,?,?,?,?,?,?), ref: 2DE158DC
                        • TlsSetValue.KERNEL32(00000000,?,?,2DE159B3,00000001,2DE1263C,?,?,?,?,?,?,?,?,?,?), ref: 2DE158EE
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: Value$H_prolog3free
                        • String ID:
                        • API String ID: 3023147540-0
                        • Opcode ID: 3a6368561deb6a86a7c663d617aaf33a15f012b6fb48627a54ab9144929f8cbd
                        • Instruction ID: 248b74dc4971cf6dc8d4a5a4727e44a570cf6467323109d7d320a3340f61b2ff
                        • Opcode Fuzzy Hash: 3a6368561deb6a86a7c663d617aaf33a15f012b6fb48627a54ab9144929f8cbd
                        • Instruction Fuzzy Hash: 83F03771604741CBDB24EBA0C809BA97BF4BB10B15F518529E566B6290DFB4EE04CB18
                        Function 6C901BDC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,6C8E14C0,6C8E899D,00000000,00000000,?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000), ref: 6C901BF3
                        • GetLastError.KERNEL32(?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000,?,?,?,6C8F425A,?), ref: 6C901BFF
                          • Part of subcall function 6C901BC5: CloseHandle.KERNEL32(FFFFFFFE,6C901C0F,?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000,?,?), ref: 6C901BD5
                        • ___initconout.LIBCMT ref: 6C901C0F
                          • Part of subcall function 6C901B87: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C901BB6,6C8FE1E5,?,?,6C8F3C9C,?,00000000,00000000,?), ref: 6C901B9A
                        • WriteConsoleW.KERNEL32(00000000,6C8E14C0,6C8E899D,00000000,?,6C8FE1F8,00000000,00000001,00000000,?,?,6C8F3C9C,?,00000000,00000000,?), ref: 6C901C24
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: 95cc652dccfcac65a12e863cec067dc8de9d4f328d25e40813601fbf0f3a0c88
                        • Instruction ID: b309c99814f12a2892f102d2b34e5215ab7abdc7616bf639a6fb284e7b11d512
                        • Opcode Fuzzy Hash: 95cc652dccfcac65a12e863cec067dc8de9d4f328d25e40813601fbf0f3a0c88
                        • Instruction Fuzzy Hash: 0AF01C36708125BBCF121F91DC05A8D3F7AFB2A7A8B15411CFA19A5920D732C820DF95
                        Function 2DE16019 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15FCC: KiUserCallbackDispatcher.NTDLL(00000002), ref: 2DE15FDE
                          • Part of subcall function 2DE15FCC: GetSystemMetrics.USER32(00000003), ref: 2DE15FE8
                        • GetDC.USER32(00000000), ref: 2DE16025
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 2DE16036
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 2DE1603E
                        • ReleaseDC.USER32(00000000,00000000), ref: 2DE16046
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: CapsDevice$CallbackDispatcherMetricsReleaseSystemUser
                        • String ID:
                        • API String ID: 1894321826-0
                        • Opcode ID: ed19f3a8a7568dd4d60e5bd3a194388b818b3a0316d68a6f1a556f99a2e371a5
                        • Instruction ID: 553c4bdd1fff6e8aea2a5325422da035ac18e58c8707a684d20b922f92c956bb
                        • Opcode Fuzzy Hash: ed19f3a8a7568dd4d60e5bd3a194388b818b3a0316d68a6f1a556f99a2e371a5
                        • Instruction Fuzzy Hash: 74E04F726407146AD21017728C48F4BAFECEB58A63F004422F609EB2C1CA7988008EA0
                        Function 6C8D8AA6 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 341COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: _strcspn
                        • String ID: @
                        • API String ID: 3709121408-2766056989
                        • Opcode ID: 45ff1ea02da4861ac947a869f1c2c77c226706a496360b41299ae03b691388b4
                        • Instruction ID: 2cab782ab3cfe4054665caf90b1351f9244d5190bb462f25f79e4eb1d28b885d
                        • Opcode Fuzzy Hash: 45ff1ea02da4861ac947a869f1c2c77c226706a496360b41299ae03b691388b4
                        • Instruction Fuzzy Hash: 39E1257190024DDFDF14DFA8DA90AEDBBB5FF09308F12486AE815AB660DB30A955CF50
                        Function 6C8E59EB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6C8E5A10
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: ec1dbb2166079a454f3f48ebb7bc228227eac3d16b51d990e4cf5245dbbbe4d9
                        • Instruction ID: 73de47d5019957da928d8546db45a4e75c998d780900052b135b568dfdb02d72
                        • Opcode Fuzzy Hash: ec1dbb2166079a454f3f48ebb7bc228227eac3d16b51d990e4cf5245dbbbe4d9
                        • Instruction Fuzzy Hash: DB415831A00209EFCF15DF98CE81AEE7BB5BF8E308F244969F91467651D3359950DB50
                        Function 2DE06FBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog3.LIBCMT ref: 2DE06FC2
                        • memset.MSVCR90 ref: 2DE06FD5
                          • Part of subcall function 2DE052D6: GetProcAddress.KERNEL32(00000000,00000142), ref: 2DE052F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressH_prolog3Procmemset
                        • String ID: D
                        • API String ID: 2467443255-2746444292
                        • Opcode ID: c50c3fe2fbca24ef6d2e30d2d293ab88aa1bbfa10507a061da2d1030a258762c
                        • Instruction ID: 3a9c6c71b7a73342d50ca9b557e526051739088e0d00c0d9f9f0e05f7d1a5fc7
                        • Opcode Fuzzy Hash: c50c3fe2fbca24ef6d2e30d2d293ab88aa1bbfa10507a061da2d1030a258762c
                        • Instruction Fuzzy Hash: FB316CB1A04605EBDB10EFA0C885A9E7BB9FF84745F208518E659BB290DF35ED01CB11
                        Function 6C8E8D88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 6C8F5AAD: MultiByteToWideChar.KERNEL32(6C8FAE39,00000100,E8458D00,00000000,00000000,00000020,?,6C8F8002,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 6C8F5B1D
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C8E8FCF,00000000,?,00000000,2463616368652E646174), ref: 6C8E8DEC
                        • __dosmaperr.LIBCMT ref: 6C8E8DF3
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                        • String ID: 2463616368652E646174
                        • API String ID: 2434981716-3036274828
                        • Opcode ID: 84938ab8dc6ae9330b15720c10605fe75f3f0137180ac88b91faa620407ce00b
                        • Instruction ID: a08be2abaeb443f35200762f458d7a65bbfde0a4644c83e1e08b229ad70d7fb9
                        • Opcode Fuzzy Hash: 84938ab8dc6ae9330b15720c10605fe75f3f0137180ac88b91faa620407ce00b
                        • Instruction Fuzzy Hash: 2921AB31604615BFD7315F2E8E0094F77A5EF9B3A5B154A1AE82497A90E770E8118790
                        Function 2DE117FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE15923: __EH_prolog3.LIBCMT ref: 2DE1592A
                          • Part of subcall function 2DE15923: GetLastError.KERNEL32(00000004,2DE10854,00000004,2DE109B6,00000000,?,?,?,2DE10E48,00000004,2DE04F59), ref: 2DE1592F
                        • GetClassInfoA.USER32(-00000068,?), ref: 2DE1185A
                          • Part of subcall function 2DE04609: _vsnprintf.MSVCR90 ref: 2DE0463A
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: ClassErrorH_prolog3InfoLast_vsnprintf
                        • String ID: Afx:%x$Afx:%x:%x:%x:%x
                        • API String ID: 3801848739-1102061830
                        • Opcode ID: 5cda9b0a7c72ecb1f9619b295853e0c3c7125269b2711f997083b6715b1dff32
                        • Instruction ID: ce794fe46332818bfdc4c536d4e11fed8198e1b0adb0a543ba67ab41ce5d34f2
                        • Opcode Fuzzy Hash: 5cda9b0a7c72ecb1f9619b295853e0c3c7125269b2711f997083b6715b1dff32
                        • Instruction Fuzzy Hash: A52121B1E00209ABCB01DF95D840BEE7BF9EF59655F04802AF915F2201EB75DA50CBA5
                        Function 2DE0AD2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: EmptyH_prolog3Rect
                        • String ID: X$-
                        • API String ID: 1443337074-1787739716
                        • Opcode ID: 9152f942eca8f583369fd8cb702b94d0e5284345be57e5738ea352421ee21b01
                        • Instruction ID: 230fc07bf141b474d574ac46816416a1e246d67377fabd3dbe831035d7e122bd
                        • Opcode Fuzzy Hash: 9152f942eca8f583369fd8cb702b94d0e5284345be57e5738ea352421ee21b01
                        • Instruction Fuzzy Hash: EE21D3B0805B40CFC321CFAAC18465AFBF4BF65705F508A4ED19AA7A60CBB5A648CB55
                        Function 6C8D392D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D3939
                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6C8D398C
                          • Part of subcall function 6C8E0EDD: _Yarn.LIBCPMT ref: 6C8E0EFC
                          • Part of subcall function 6C8E0EDD: _Yarn.LIBCPMT ref: 6C8E0F20
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                        • String ID: bad locale name
                        • API String ID: 1908188788-1405518554
                        • Opcode ID: 30c26b19ff347429d12275a6599a655557cd0315d15f93469c90574fea308540
                        • Instruction ID: 292a42c840cae3e2c85ca8facab59e5f1637839630a3cb522e38a90d515680ef
                        • Opcode Fuzzy Hash: 30c26b19ff347429d12275a6599a655557cd0315d15f93469c90574fea308540
                        • Instruction Fuzzy Hash: 15F0CD30505149EBDB18DB9CCA65BEC7371AF4520DF250968D1022AB92CF35BF54EB25
                        Function 2DE0F61C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(mso.dll,?,2DE0FBDC,?,00000201,?,?,80000000), ref: 2DE0F624
                        • MessageBoxW.USER32(00000000,7FFFFEF8,80000008,00000000), ref: 2DE0F681
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: HandleMessageModule
                        • String ID: mso.dll
                        • API String ID: 2216695990-1671880577
                        • Opcode ID: 8e45b0e745f1a8061f8f225e02fd858c7839db9153886311a60a073155b07bbb
                        • Instruction ID: d0f851e8aab955daaa466e203f5171b14a45a552adbc087ad9cebd2e24ed3510
                        • Opcode Fuzzy Hash: 8e45b0e745f1a8061f8f225e02fd858c7839db9153886311a60a073155b07bbb
                        • Instruction Fuzzy Hash: 31F0B43219410ABBE3449AB4CC06FA537ECE724B46F048110F146F62D0DE6DD594CB76
                        Function 6C8E12E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C8E12F3
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E1331
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232601084.000000006C8D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8D0000, based on PE: true
                        • Associated: 00000007.00000002.2232579160.000000006C8D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232632846.000000006C904000.00000002.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232657417.000000006C914000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232681716.000000006C93C000.00000004.00000001.01000000.00000006.sdmpDownload File
                        • Associated: 00000007.00000002.2232702929.000000006C93D000.00000002.00000001.01000000.00000006.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_6c8d0000_MSWordServices.jbxd
                        Similarity
                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                        • String ID: outlook-web.ddns.net
                        • API String ID: 593203224-2894021055
                        • Opcode ID: 5194702f17f0ef2d75552974635466a53989dcefc40f6e661027ce3c5331d194
                        • Instruction ID: 44bf2bccd086bdd494015e98e179b275bac667e138ca9b64d709497016b0cdf4
                        • Opcode Fuzzy Hash: 5194702f17f0ef2d75552974635466a53989dcefc40f6e661027ce3c5331d194
                        • Instruction Fuzzy Hash: 5EF0BE726001909ECB60EB5DCA40A99BBE5EBCB754B254A78C42AD7702EB30E942C781
                        Function 2DE135E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • ??_U@YAPAXI@Z.MSVCR90(?,p(-,?,?,2DE13669,p(-,?,00000000,?,2DE157B6,00000000,?,?,?,2DE02870,?), ref: 2DE13607
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID:
                        • String ID: p(-$p(-
                        • API String ID: 0-773738704
                        • Opcode ID: cc3a28099630c4a92c833c90afcec42e4b710eff09a216eab597794e02bd7e12
                        • Instruction ID: eac8867002c6476c7256e3ccf449a015698073b16dcffed580ea3734e6da1714
                        • Opcode Fuzzy Hash: cc3a28099630c4a92c833c90afcec42e4b710eff09a216eab597794e02bd7e12
                        • Instruction Fuzzy Hash: 19E06D7A2047069AC721CF4AD000B42FBE8EFA5760F51842AD6D8A3600CB70F8808BA0
                        Function 2DE052D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 2DE03F46: LoadLibraryA.KERNEL32(?,2DE19D60,00000010), ref: 2DE03F75
                        • GetProcAddress.KERNEL32(00000000,00000142), ref: 2DE052F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2232503245.000000002DE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 2DE00000, based on PE: true
                        • Associated: 00000007.00000002.2232487004.000000002DE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232526714.000000002DE1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232544368.000000002DE22000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000007.00000002.2232560837.000000002DE23000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_2de00000_MSWordServices.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: 4-$olmapi32.dll
                        • API String ID: 2574300362-675466117
                        • Opcode ID: 8ccf418b054d2ad8586eb34c0dcd90fb179f0bb6e35669667af19ac5602818c3
                        • Instruction ID: fdf3de23cda28f83e7e81ee7a96c9e15eaa9415382723889029e1f57285b39c2
                        • Opcode Fuzzy Hash: 8ccf418b054d2ad8586eb34c0dcd90fb179f0bb6e35669667af19ac5602818c3
                        • Instruction Fuzzy Hash: 75C08CF690E2411ECB102F6059CA7CC3AF0FB2AF03F000545F286F8656CEA8C444CA07